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ABSTRACT 

The Nuclear Regulatory Commission’s (NRC) steady progress towards risk-informed 
performance-based regulation (RIPBR) prompted the practical application of this 
regulatory tool in order to demonstrate its potential benefits. This practical demonstration 
makes up one part of an Idaho National Engineering and Environmental Laboratory 
(INEEL) sponsored project entitled Integrated Models, Data Bases and Practices Needed 
for Performance-Based Safety Regulation. Project members selected the emergency 
diesel generator system as a candidate for assessment because of its high risk importance 
for core damage frequency (CDF) as well as for its failure to exhibit fulfillment of its 
current maintenance objectives. 

An analysis of current NRC maintenance and inspection requirements of the 
emergency diesel generators at the Millstone 3 nuclear power plant was performed by the 
project members. Maintenance and inspection items identified as uimecessary or harmful 
to the EDG qualified as candidates for removal from the current surveillaince schedule. 
Expert testimony and comparisons with similar non-nuclear utility industries aided in the 
identification of candidate items. 

Calculations of the subsequent risk, reliability, safety, and economic implications 
revealed several benefits of the inspection alterations. The modified inspection provided 
improved backup power availability and defense in depth during the refueling outage. A 
sensitivity analysis performed on the EDG basic events affected by inspection alteration 
showed that a 50% reduction in these basic event failure rates would decrease the EDG 
system failure probability by 13.9%. The altered inspection also shortens the plant’s 
refueling outage critical path therefore decreasing the risk of fuel damage and improving 
the risk profile of the plant outage. Transfer of the revised inspection to performance 
while the plant is operating at power resulted in identical refueling outage benefits. 
Performance of the inspection at power requires an increase in the allowed outage time 
(AOT) of the plant. The subsequent rise in core damage frequency due to the increased 
AOT is considered negligible. 
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Chapter 1 -- Introduction 

1.1 General 

Emergency diesel generators (EDGs) perform an essential safety function in every 
nuclear power plant in the United States. As the centerpiece of the emergency power 
system, they provide a redundant source of electricity to vital safety equipment in the 
event of a loss of offsite power. 

The failure of a generator to start and run could have far-reaching effects; in 
extreme cases, core damage or even the loss of human life. In order to ensure that the 
generators and their support systems are capable of performing their safety function, 
diesel operators subject the EDGs to numerous mandatory tests and inspections. The 
United States Nuclear Regulatory Commission (NRC) established these surveillances in 
order to ensure that the generators have sufficient reliability to maintain the risk of core' 
damage at an acceptable low value. 

A recent study performed by the Idaho National Engineering and Environmental 
Laboratory (INEEL) [1] considered the EDG power system reliability at length. This 
study indicated that a particular EDG inspection performed during the refueling outage 
was most likely degrading the reliability of diesels utilized by nuclear utilities. That EDG 
inspection is the focus of this report. 
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This report presents an alternative EDG inspection that replaces the current 
detrimental inspection. Improved reliability of the EDG, improved plant safety and 
enhanced plant risk are all benefits of adoption of the new inspection. 


1.2 Background 

In recent years, the United States Nuclear Regulatory Commission (NRC) and the 
nuclear utilities have recognized that the continual improvement of probabilistic risk 
assessment (PRA) methodology has justified an increase in its use as a regulatory tool. 
The NRC now encourages the application of PRA and associated analyses in order to 
reduce xinnecessary conservatism associated with regulatory guides, requirements and 
license commitments. 

The NRC now encourages a risk-informed approach to decision-making where 
utilities propose regulation based on underlying engineering principles and an assessment 
of the impact of proposed changes on the plant design. Risk insights and assessments of 
the change in plant risk then complement this assessment. The NRC terms this process 
risk-informed, performance-based regulation (RIPBR). 

The RIPBR application process is a three-step process initially requiring a 
detailed description of the change and its rationale. The second step requires an extensive 
two-part engineering evaluation of the change. The engineering evaluation begins with a 
traditional deterministic evaluation that proves that the utility satisfies current regulations 
and meets requirements for conservatism and defense in depth. The second part of the 
engineering evaluation requires the utility to perform a probabilistic risk evaluation of the 
change. The results of this evaluation must show that the proposed change is beneficial 
to plant risk or negligibly detrimental. Once the utility completes the engineering 
evaluation, it must formulate a plan for monitoring the implementation of the change and 
ensure that the associated performance goals will be still be met [2]. 

The NRC is currently working with several volunteer utility companies on various 
RIPBR pilot projects. These projects include modification of technical specifications, 
alteration of allowed equipment outage times, in-service inspections and graded quality 
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assurance. These pilot projects should reveal if the NRC move towards utilization of 
RIPER enhances the operational safety of nuclear power plants. RIPER is the basic 
strategy used throughout this work to analyze the EDG inspection alteration at our 
cooperating project utility, Millstone Unit 3 (MP-3). 

1.3 Thesis Objective and Method of Investigation 

Develop an improved refueling outage inspection for emergency diesel generators 
through application of risk-informed, performance-based regulation methodology. 

The first step in the development of the strategy for diesel generator performance 
improvement was to gain a comprehensive understanding of EDGs and their use. We 
performed an extensive study of the history, manufacturer, hardware, and operation of the 
EDGs at Millstone 3. We used this information, along with expert judgment provided by 
the engineers at Millstone 3, to alter the EDG refueling outage inspection. This alteration 
included the elimination or periodicity extension of several items with the overall 
outcome being a shortened, more efficient inspection that is less intrusive to the diesel 
and reduces the opportunity for human-induced failures. 

Professional insight and nuclear EDG history were not the only influences on the 
final streamlined inspection. This report also relied upon the expertise of non-nuclear 
industry uses of emergency diesel generators. Chapter 5 presents the expert input 
provided by the Federal Aviation Administration, the United States Navy, and civilian 
hospitals. 

Jeffrey Dulik, another participant in this study, also influenced the final form of 
the inspection. He researched monitoring and sensing equipment that could replace or 
possibly enhance specific inspection items [3]. 

Once the final form of the inspection is established, there are two possibilities for 
the application of the new inspection. The first option is to continue to perform the 
inspection during the refueling outage. Chapter 6 presents this option and the associated 
risk benefits of the strategy. A shortened inspection has a measurable impact on the 
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critical path of the power plant during its outage. We measure this impact in terms of the 
hours required to perform it. We present the associated economic benefits later in this 
report. A shortened inspection also reduces the probability of fuel damage during the 
refueling outage. Chapter 6 discusses this impact at length. 

The second option is to perform the remaining inspection while the plant is 
operating at power. Chapter 7 shows that this change would reduce the refueling outage 
critical path duration and the probability of fiiel damage during the refueling outage. This 
change increases the core damage frequency while the plant is operating and the 
inspection is being performed. However, the resulting rise in risk is negligibly small 
according to standards set by the NRC and Electrical Power Research Institute (EPRI) 

[ 2 , 4 ]. 

Chapter 8 contains a discussion of the resulting economic and safety benefits of 
the proposed changes. The final results of this study demonstrate the significant safety as 
well as economic benefits of the altered inspection. 

1.4 Terminology 

This report utilizes terminology that is standard within the nuclear industry 
whenever possible. The following defined terms provide additional clarity: 

• Allowed Outage Time CAOT’i -- The maximum allowed time out of service for 
equipment while the plant is operating at power. The value of this requirement is set 
by the NRC and is different for each plant. 

• Critical Path -- For a refueling outage, the sequence of operations that must be 
performed serially; these critical equipment outages prevent the plant from returning 
to an operational full power status. 

• Defense in Depth fPID') — The principle of requiring redundancy in equipment and 
procedures, so that failure of a single component or procedural step does not cause an 
undesired consequence. 

• Infant Mortality — A period of high equipment failure rate following the introduction 
of the equipment into service. 
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• Probabilistic Risk Assessment (PRA) - A systematic method for transforming 
knowledge of basic events in a plant and their occurrence frequencies into 
corresponding integrated system risk profiles. 

• Risk-informed, performance-based regulation (RlPBRf - An approach to decision¬ 
making based on an assessment of the engineering impact of proposed nuclear power 
plant equipment and procedural changes and their associated impact on plant risk. 

• Surveillance - A planned maintenance or test performed to meet either regulatory 
requirements or performed voluntarily for investment protection of the plant. 
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Chapter 2 — Literature Search 


2.1 General 

This section summarizes the literature search performed on the historical path of 
PRA that eventually led to the research performed in this work. This search is divided 
into two parts: documents dealing with PRA history and its application, and documents 
dealing with EDG performance and improvement. 

2.2 PRA 

WASH-1400 [5], the reactor safety study completed in 1974, is the definitive 
document upon which all nuclear PRA work has been subsequently based. Sponsored by 
the United States Atomic Energy Commission, WASH-1400 is the initial (extensive) risk 
assessment of nuclear power plants that outlines a series of seven tasks (see Figure 2.1). 
Performance of these tasks revealed that the predominant risk in a nuclear power plant is 
that of a radioactive fission produet release. The report identified the reactor cooling 
system as the subsystem whose failure initiates this risk making the cooling system the 
critical portion of the plant. 
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Figure 2.1 WASH-1400 Seven Task Assessment [6] 

Although the technical results of WASH-1400 were not fully accepted by nuclear 
industry professionals and government officials at the time of its release, this document is 
important because it established the systematic method for transforming initiating events 
into risk profiles that we today term PRA. Many non-nuclear industries have watched the 
evolution of nuclear PRA with interest because most aspects of nuclear PRA, with 
suitable alterations, apply to other fields. 

The latest format of nuclear PRA studies consists of a five step process as 
outlined in the NRC document NUREG-1150. These steps, outlined in Figure 2.2, are 
very similar to the original seven tasks in WASH-1400. 


Accident-Frequency 


Ac cident-P ro gr e ssi on 


Source-Term 


Offsite G onsequence 


Risk 

Analysis 


Analysis 


Analysis 


Anal5rsis 


Cdculation 


Figure 2.2 Schematic Diagram of Modem PRA Calculational Sequence [6] 


New advancements and sophisticated models have prompted the NRC 
increasingly to adopt PRA technology as a tool in regulatory decision making. The NRC 
recently issued the 1995 Probabilistic Risk Assessment Policy Statement [7] which along 
with the PRA Implementation Plan [8] is intended to add PRA to the set of tools used by 
the agency. The NRC now requires that a plant-specific PRA be submitted by each 
power plant licensee. This PRA fulfills the plants' obligations under the Individual Plant 
Examination and the Individual Plant Examinats-Extemal Events programs. These 
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reports are currently being evaluated by the NRC staff in order to identify individual plant 
risk vulnerabilities. 

Leading this move towards increased utilization of PRA is the NRC Chairman, 

Dr. Shirley A. Jackson. She also has endorsed the use of RIPBR, and in 1996, she 
subsequently directed the NRC staff to reconstruct its Standard Review Plan and to issue 
corresponding Regulatory Guides for the aid of licensees attempting to incorporate 
RIPBR into their PRA analysis. The result of this directive was the November 1996 
issuance of DG-1061, an NRC draft regulatory guide promoting the use of PRA for 
making plant-specific, risk-informed permanent current licensing basis (CLB) changes 

[9]. 

In February of 1997, the NRC issued an additional draft regulatory guide that 
describes an acceptable approach for applying risk-informed methods to Technical 
Specifications. This guide, DG-1605 (Revision 5), specifically addresses changes to 
plant allowed outage times (AOTs) and surveillance test intervals (STI) [10]. Also 
delivered in February were the RIPBR Standard Review Plan revisions [11]. 

2.3 Emergency Diesel Generator 

Despite the long history of EDG use in nuclear power plants, the nuclear industry 
produced no significant reports concerning the reliability and performance of nuclear 
diesels until the 1980s. NUREG/CR-2989, Reliability of Emergency AC Power Systems 
at Nuclear Power Plants [12], was the first major report to address the reliability of 
EDGs. This report addressed the reliability of the on-site ac power system as it relates to 
the expected frequency of station blackout. In 1986, the Nucleeir Science Advisory 
Committee produced a report entitled The Reliability of Emergency Diesel Generators at 
US Nuclear Power Plants [13] which also addressed the reliability of EDGs although its 
evaluation methods conflicted with those used in NUREG/CR-2989. In the late 1980s, 
the Electric Power Research Institute produced a report on EDGs that specifically 
addressed monitoring and diagnostic techniques that could improve nuclear EDG 
reliability [14]. 
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As the use of PRA began to expand in the early 1990s, the NRC Office for 
Analysis and Evaluation of Operational Data (AEOD) undertook an effort to ensure that 
expanded PRA use could be implemented in a consistent and predictable manner. To 
achieve this goal, AEOD initiated a review of the functional reliability of risk-important 
systems in nuclear power plants. One system chosen for performance evaluation was the 
EDG power system. This evaluation resulted in INEL-95/0035, Emergency Diesel 
Generator Power System Reliability, 1987-1993, which was produced by Idaho National 
Engineering and Environmental Laboratory (INEL) [1]. This study looked at the 
reliability of EDGs in 44 plants using actual operating experience under conditions 
similar to those experienced during an actual loss of offsite power. 

2.4 Conclusion 

Although the NRC rejected WASH-1400 in 1974, the conclusion that the reactor 
cooling system was the largest risk contributor to fission product release was not 
incorrect. In fact, the cooling system is still the largest risk contributor in most plants 
today. Since EDGs are responsible for powering the cooling system and all other safety 
systems in case of a loss of offsite power, they themselves are a large contributor to risk. 
With the increased use of PRA, it is not surprising that INEL was asked to look at EDG 
reliability in depth. 

The INEL report, along with recent NRC PRA documents, form the basis for a 
project entitled Integrated Models, Data Bases and Practices Needed for Performance- 
Based Safety Regulation. Part of this project involves the application of PRA to specific 
EDG reliability issues identified by the INEL report. One such issue identified by the 
authors of the INEL document was the intrusive inspection performed on the EDG during 
the refueling outage. 

The work in this report looks at the EDG refueling outage inspection in depth and 
proposes changes through the application of PRA as a result of the author’s involvement 
with the project on Integrate Models, Data Bases and Practices Needed for Performance- 
Based Safety Regulation. 
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Chapter 3 -- The Millstone 3 EDG System 

3.1 Introduction 

In order to propose steps for reliability improvement of the diesel, we must first 
present a complete illustration of current EDG requirements and performance issues. The 
current EDG inspection requirements are necessarily complex and rigorous in order to 
ensure that nuclear safety goals are met. However, this complexity has in some instances 
resulted in inspection processes that have structural weaknesses and inspection 
requirements that produce no apparent benefit [15]. In some cases, these inspection 
requirements result in a degradation of the reliability and performance of the diesel. 

3.2 General Description 

The Millstone 3 (MP-3) plant utilizes a typical emergency power supply design 
that consists of two independent emergency power supply trains connected to separate 
emergency diesel generators. Most safety systems employ a similar redundant 
combination in order to safeguard against failure of single component systems. Table 3.1 
summarizes the vital parameters of the two identical EDGs utilized at MP-3. Each of the 
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Manufacturer 

Colt-Pielstick 

Number of Cylinders 

14 

Operating Cycle 

4-stroke 

Rating 

4.16 kV 

3 phase 

60 Hz 

Capacity 

4,986 kW (continuous) 
5,335 kW (2000 hour) 


Table 3.1 MP-3 Emergency Diesel Generator Parameters 

EDGs is capable of starting automatically and accelerating to rated speed and subsequent 
loading of all safety and essential shutdown loads within a minimum time interval (for 
MP-3, this time interval is eleven seconds). In the case of an emergency power demand, 
one operable EDG is sufficient to handle all safety loads [16]. . 



Figixre 3.1 Emergency Diesel Generator System 

































Each EDG has independent support systems to further utilize redundancy and 
minimiz e the occurrence of common cause failures. A schematic of one of the EDGs and 
its many subsystems is illustrated in Figure 3.1. The dashed line represents the boundary 
of the system and demonstrates that most of the support systems are internal to the EDG 
system. 

3.3 Testing and Inspection Requirements 

The primary fiinction of the diesels at MP-3 is to supply power to the plant safety 
systems in the event of a loss of offsite power. These safety systems are vital loads 
needed to maintain the plant at a safe condition imtil offsite sources restore power to" the 
utility. The NRC requires MP-3 to periodically test the generators and related support 
systems to ensure that the EDGs can perform this vital safety role. These tests primarily 
consist of periodic time-based runs of the diesel that demonstrate the ability of the 
generator to fulfill its designed load and response criteria. These tests also provide a 
means to track and demonstrate the reliability of the EDG to ensure that it has a small 
effect on the core damage frequency (CDF) of the plant. 

In addition to the periodic test runs, the NRC also requires specific maintenance 
to be performed on each EDG. Each maintenance requirement routinely includes some 
sort of inspection, visual or otherwise, to be performed in conjunction with the periodic 
maintenance. These numerous tests, maintenance plans, and inspections are outlined by 
the NRC in the Technical Specifications(TS) of MP-3 [17], a pertinent excerpt of which 
can be found in Appendix A. 

3.3.1 MP-3 Technical Specification 4.8.1.1.2.g.l 

This project deals specifically with Technical Specification 4.8.1.1.2.g.l which 
requires that each diesel be subjected to an inspection recommended by the manufacturer 
of the EDG. MP-3 must perform this inspection on each of its diesels during the plemt's 
refueling outage. This corresponds to inspection frequency of once every 18 months. 
Appendix B contains the Colt-Pielstick maintenance instructions for standby diesels that 


20 



form the basis for all diesel maintenance performed at MP-3 [17]. Table 3.2 contains the 
section dealing specifically with the refueling outage inspection (ROI) [16]. 


2. Remove and check injection nozzles for operation and opening pressure. 

3. Remove, disassemble, clean and repair all air start valves and air start distributors. Clean/replace air 
start distributor filter. 

4. Drain and refill governor and turbochargers with approved oil. 

5. Drain, flush and refill outboard bearing with approved oil. 

6. Check tightness on all foundation, block to base, oil and water line bolts. 

7. Check sample of rocker lube oil for condition and contaminants. 

8. Check turbocharger inlet casing and turbo casing water passages for scale. The inside surface of these 
casings is the best indication for adequacy of water treatment. 

9. Check for tightness of exhaust manifold flange bolts to cylinder head (165-195 ft lbs.). 

10. Check all safety and shutdown controls for appropriate pressures and temperatures. 

11. Borescope all cylinder liners. 

12. Inspect the crankcase end of all cylinder liners. 

13. Check main bearing cap tightness and side bolts. Alternately confirm cap tightness to frame and 
saddle to .0015 feeler gauge. 

14. Visually examine gear train and drives, cam shafts and bearings, push rods and rocker arms. 

15. Check crankshaft alignment and bearing clearances. 

16. Check connecting rod bearing clearances with feeler gauges. 

17. Inspect all ledges and comers in crankcase for debris which could indicate other mechanical 
problems. Confirm all cotters, safety wire and lock tabs are in place and tight. 

19. Check alternator coils and poles for indication of movement (visual). 

20. Drain and refill alternator bearing lube sump. If oil has contaminates, pull bearing cap and inspect 
journal. 

21. Inspect and clean (if required) overspeed trip mechanism. Check operation according to overspeed 
trip test instructions. 


Table 3.2 Colt-Pielstick Annual/Refuel Inspection Items 


Millstone 3 has written two plant-specific maintenance procedure guides based on 
the recommendations of Colt-Pielstick. The first guide. Production Maintenance Diesel 
Generator Mechanical Maintenance (MP 3720CB) [18], is a general maintenance guide 
that contains weekly, monthly, annual, and refueling outage inspection and maintenance 
items. The second document, Emergency Diesel Generator Surveillance Inspection (SP 
2712K) [19], is a detailed disassembly inspection guideline and checklist for the ROI. 
Although these two guidelines both contain specific refueling outage inspection items, 
they remain separated because of the different emphasis of the documents. 
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Both of these docximents contain inspection and maintenance items that are not 
required by Colt-Pielstick but were determined by MP-3 to be beneficial to the individual 
EDGs. For this reeison, this project will focus only on the items listed in Table 3.2 as 
these are items required of MP-3 regardless of the benefit or detriment which these items 
may have on the diesels. 

3.4 Conductor Inspection 

MP-3 performs extensive detailed planning prior to each refueling outage at the 
utility. The diesels are an integral part of the outage plan and must be taken out of 
service in such a way as to minimize their impact on the critical path of the plant yet at 
the same time ensure that an appropriate amoimt of defense in depth is maintained. The 
last planned refueling outage that took place at MP-3 began in April of 1995. We present 
the 1995 outage in order to illustrate the planning and execution of the ROI at MP-3. 

3.4.1 Electrical Power Supply Outage Schedule 

Figure 3.2 is a reproduction of the planned electrical power supply outage strategy 
utilized by MP-3 to carry out required maintenance and testing of all electrical systems. 
This outage schedule is in the form of a time bar chart which is a typical format for 
outage planning utilized throughout the nuclear industry. At the top of the chart, the 
months of April and May are broken up into weeks so that the approximate starting day 
and time of each outage can be quickly determined. A time bar indicating the length of 

each shutdown in hours represents each scheduled equipment outage. The “ D =_ 

symbol gives the approximate time that MP-3 expects each item to be out of service 
(OOS). Exact start dates and times of the outages are indicated to the left of each bar 
while the ending dates and times are indicated to the right of each bar. 

The far right hand side of the chart gives a brief description of the equipment that 
is unavailable during each time period. The three main equipment categories that the 
electrical power supply outage schedule cover are electrical buses, transmission systems, 
and the EDGs. There are three transformers that appear in this schedule. They include 
the normal station transformer (NSST), the ‘A’ reserve station transformer (A RSST) and 
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the ‘B’ reserve station transformer (B RSST). The NSST is the normal source of offsite 
power at the plant while the ‘A’ and ‘B’ RSSTs provide a backup source of power in the 
event that the normal power transformer is unavailable. 

The electrical power supply outage schedule includes numerous bus outages. 
However, only two of the bus outages affect the ability of the EDGs to supply power in 
the case of a loss of offsite power. The two buses in question are bus 34 B/D and 
bus 34 C. We address the impact of these two buses on the EDGs later in this report. 

The outage schedule shows that MP-3 scheduled each EDG outage in 1995 for 
approximately 170 hours, or approximately seven days. EDG outages must not overlap 
since one diesel must be available at all times in case of a loss of offsite power. This 
results in a total diesel outage time of 340 hours. Numerous EDG tests occur during this 
outage time but the bulk of the time is taken up with the ROI. ]^-3 allocates 
approximately 120 of the 170 hours of each outage to the ROI for a total outage time due 
to both ROIs of 240 to 250 hours. 

The MP-3 diesel maintenance engineer utilizes the chart in Figure 3.2 as a general 
guideline for the conduct of the EDG outage. In addition to this, he uses a much more 
complex beir chart that details the allotted time for each test and individual inspection 
item. The MP-3 diesel maintenance engineer uses both of these plans as guidance 
throughout the refueling outage but is also required to produce real time or “as built” bar 
charts that detail the actual timeline for each inspection item and the overall conduct of 
the diesel outage. 

3.4.2 Inspection Team Makeup 

The MP-3 diesel maintenance engineer conducts the actual ROI with the aid of 
four to five workers at any one time. Typically, two of these workers are the regular 
diesel operators while the remaining laborers are general mechanics temporarily brought 
in from other parts of the plant. These workers usually operate continuously in two shifts 
so that there are a total of eight to ten workers carrying out the inspection and 
maintenance [21]. 
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In addition to the MP-3 employees, a Colt factory representative must be present 
throughout the entire ROI. The Colt representative is responsible for evaluating the 
condition of the engine and ensuring that all MP-3 workers perform all inspection items. 
They are additionally responsible for reviewing all Colt Service Information Letters [22] 
with the maintenance engineer. These letters detail problems that have occurred in 
similar Colt diesels since their manufacture and provide strategies for preventing similar 
occurrences in MP-3 diesels. 

3.5 The ROI Dilemma 

The current EDG refueling outage inspection has frustrated diesel operators and 
engineers for several years. In regulatory documents, the ROI is termed an “inspection” 
and at worse, a “disassembly inspection.” In practice, however, those tasked with 
carrying out the inspection refer to it more aptly as a teardown. It is a time-consuming, 
intrusive process that leaves the diesel vulnerable to human error and exposes the plant to 
unnecessary safety degradation [15, 20]. 

The root of the problem is simple; the diesels used at nuclear power plants to 
provide backup power were not designed for that use. Manufacturers designed these 
diesels mainly for marine operation in which they operate for extended periods of time 
with heavy loads. Overhauls of these diesels typically occur after logging hours in the 
thousands to tens of thousands range. The operators of these diesels perform overhauls 
to identify worn and degraded parts resulting from extended operation. Nuclear utilities, 
by contrast, usually perform diesel overhauls after only approximately one hundred hours 
of use. 

It is easy to imderstand why this has happened. When MP-3 and the NRC 
established the Technical Specifications, the authors most likely acknowledged that the 
EDGs would not log the hours typically required for a major overhaul. However, both 
parties considered overhauls a necessary part of a comprehensive maintenance program. 
Instead of requiring a minimum number of hours of operation before overhaul, a time 
constraint was chosen by the TS authors as a convenient alternative. This move is similar 
to an automobile weirrantee — 3 years or 30,000 miles. In order to make the overhaul of 
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the diesel compatible with the operating cycle of the power plant, the overhaul frequency 
was matched to the refueling cycle. MP-3 most likely adopted this policy based on the 
belief that the plant was less vulnerable to reactor fuel damage during the refueling period 
and therefore the need for an EDG was reduced [15]. 

The utilities established the overhaul requirements at a time when the plants had 
little operational history. Today’s on-line monitoring systems and techniques were not 
available to diesel operators. Regulators established strict deterministic guidelines with a 
great deal of built-in conservatism and inflexibility. However, today’s more systematic, 
performance-oriented regulatory climate has prompted evaluation of the current 
regulations, which, in the case of the EDG, have been found to be lacking. 

The authors of the INEL report on EDG reliability felt that there was a general 
trend of over-testing and over-inspecting the diesel which the operational history of the 
EDGs did not warrant [15]. The overhaul inspections were not finding the wear and tear 
on diesel parts that the regulators designed them to find. Instead, they found that these 
inspections were an avenue in which human errors might induce immediate or latent 
failures. Other failures may be introduced through non-human means such as the 
warpage of parts upon removal. The immediate failures, which contribute to the infant 
mortality rate of the EDG, were not well documented by diesel operators but rather were 
related to the authors through numerous anecdotes. Experts explained the reason for this 
lack of documentation as a result of a grace period that the utility gives to the diesel 
operators at the completion of the ROI. This policy allows operators to run the diesel to 
ensure its operability before the commencement of recorded testing. The diesel operators 
and the NRC do not consider failures that occur during the trial run to be recordable [21]. 

An additional concern addressed in the INEEL report was the omission of 
maintenance out of service (MOOS) demands as failures when determining a plaint’s 
ability to meet its EDG safety goals. A MOOS failure occurs when there is a real demand 
on the diesel during a loss of offsite power event and the diesel is unavailable to operate 
because it is being inspected or having maintenance performed. In order to avoid the 
danger that this situation implies, utilities have traditionally performed the overhaul 
during plant shutdowns. However, it has become widely recognized that the times of 
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greatest plant risk may not be those when the plant is operating at high power. Rather, 
when a plant is undergoing refueling, its vulnerability for reactor fuel damage due to fuel 
cooling failures may be considerably greater than when at high power. This is because of 
the greater complexity of plant configuration control — with an attendant increase in 
human error probabilities, and because of reduced redundancy in accomplishing the fuel 
cooling functions. The requirements for EDG intrusive inspections exacerbate the 
possibilities of such cooling failures during refueling outages and may actually increase 
plant fuel damage risks. Reduced inspection requirements would reduce this concern 
[1,15]. 

There are structural problems with the ROI as well. The required presence of the 
Colt representative results in a difficult dilemma for the EDG system team at MP-3. The 
NRC requires only that MP-3 carry out those inspection items deemed necessary by the 
manufacturer. Document SP 3712K outlines the inspection stating specifically that 
“Inspection items may be altered or deleted if sufficient justification warrants the change 
as judged by the Colt representative and the MP-3 maintenance engineer [19].” 

According to the MP-3 maintenance engineer, this rarely happens in practice. If any part 
of the inspection is eliminated or shortened by MP-3, this in turn shortens the time that 
the Colt-Pielstick representative is needed as a consultant at MP-3. A termination of 
inspection items might also result in a smaller demand for Colt-Pielstick manufactured 
replacement parts. These reasons provide a possible explanation for the impasse in 
adjusting the set of required inspections experienced in MP-3 and other plants [21]. 

In summary, consensus exists among those persons who operate, inspect and 
evaluate the EDG that the utilities, with the cooperation of the NRC, need to improve or 
even eliminate the current overhaul requirements. They cause far too frequent invasion 
of the equipment which often results in failures caused by human error. The outage time 
associated with the ROI is significant and unnecessarily increases the probability of 
damage to the reactor fixel due to the EDG being unavailable for service. The ROI was 
established at a time when there was no operational history. However, today’s experience 
and insight demonstrate the diesel ROI can and should change accordingly. 
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Chapter 4 — ROI Improvement Proposal Based on Nuclear 
Industry Expert Opinion 


4.1 Introduction 

The present ROI contains both structural and operational problems that can 
benefit from change. In order to develop an improved ROI, we used the expert opinion of 
the diesel engineer at MP-3 to assess each inspection item. The compilation of his 
suggestions and recommendations result in a streamlined version of the original ROI. 

The abbreviated inspection emphasizes non-intrusive practices, engine analysis, and 
improved human oversight. 

4.2 Structural Change 

The first step in the improvement of the performance of the diesel involves 
removal of barriers that currently inhibit change. Currently, the main barrier to alteration 
of the ROI is the power which TS 4.8.1.1.2.g. 1 affords the manufactixrer of the EDO. No 
change can take place in the ROI unless the manufacturer, whom MP-3 pays to oversee 
the ROI, approves of the alteration. This results in an obvious conflict of interest. 

Alteration of this fundamental structural problem can only take place through a 
change in the Technical Specification. This report justifies inspection alteration through 
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the presentation of the numerous risk and safety benefits that an altered ROI will produce. 
A formulation of an alternative structure for the administration of this TS is not the focus 
of this work. However, we discuss possible options in Chapter 10 as a starting point for 
future work in this area. 

4.3 ROI Assessment 

Identification of those parts of the ROI that do not benefit the EDG at MP-3 is a 
crucial step in the alteration of the inspection. We accomplished this identification 
process through a series of interviews with the MP-3 diesel maintenance engineer [21]. 
The maintenance engineer has an extensive knowledge of the engine past performance 
history as he has been responsible for the diesel maintenance since the plant start up. He 
has conducted EDG inspections through five refueling outages and is currently involved 
with proposing changes to the ROI in conjunction with the EDG owner’s group. 

The diesel engineer carefully reviewed each of the twenty inspection items before 
issuing an opinion on the best way to improve the individucd requirements. In order to 
determine the best option for each requirement, the diesel engineer answered the 
following questions: 

1) What is the purpose of this item? 

2) Does this requirement accomplish its purpose? 

3) Is the requirement excessively intrusive to the diesel? 

4) Could this item be eliminated? 

5) Could this inspection item be improved or replaced with the aid of 
monitoring? 

6) Could this inspection item benefit from periodicity extension? 

Each of these questions hits on a key aspect for improvement of the performance of the 
diesel. 

4.3.1 Individual Requirement Purpose 

The first two questions concerning the purpose of each requirement ascertain the 
fundamental goal of each inspection item. If an inspection item is not accomplishing its 
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purpose, there is no reason to continue carrying out the item. Unnecessary items are time 
consuming and provide needless avenues for human error introduction. Additionally, if 
the item does not accomplish its purpose, this may mean that the inspectors should adopt 
an alternative inspection method. 

4.3.2 Excessive Intrusiveness 

The question of “excessive intrusiveness” is a vital assessment that addresses the 
potential detriment of individual inspection items. Intrusiveness is a broad term that 
expresses the level of entry into the diesel required by a particular inspection. Diesel 
experts consider inspection items intrusive if they require disassembly of several parts of 
the diesel. A determination of excessive intrusiveness requires the diesel engineer to 
weigh the potential benefits and detriments of each item. If the benefits realized by the 
performance of an inspection do not outweigh the potential downsides, then the diesel 
engineer considers the requirement excessively intrusive. We considered inspection 
items automatic candidates for alteration if the diesel engineer determined the items to be 
excessively intrusive. 

Reduction of intrusiveness benefits the hardware of the diesel in several ways. 
Every time a diesel worker disassembles a part of the diesel, the EDG is potentially 
exposed to warpage and the introduction of moisture. Both of these phenomena can 
cause degradation of the diesel performance and in some cases, failure. Intrusiveness 
additionally exposes the diesel to the introduction of errors caused by human action. The 
diesel inspectors can improperly disassemble or reassemble the EDG. Tools, clothing, or 
loose diesel parts can fall inside of the diesel. Additionally, diesel operators may 
misplace parts during disassembly which can potentially delay completion of the 
inspection. 

4.3.3 Item Elimination 

Some inspection items may qualify for total elimination if the diesel engineer 
considers the initial purpose of the requirement unnecessary. A determination of total 
elimination requires the diesel engineer to assess the benefits of the inspectiott and to 
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determine if the information gained by the inspection is valuable or gives unique 
information about the status of the diesel. Unnecessary inspection items consume time 
and resources and provide an additional avenue for the introduction of human error. 

Total elimination can apply to both intrusive and non-intrusive items. 

4.3.4 Monitoring As An Alternative 

Engine analysis and monitoring can replace or enhance current inspection 
requirements. The EDGs at MP-3 utilize a ne^vly installed engine analysis system called 
RECIPTRAP. This system provides a copious amount of information to the operators of 
the diesel and has proved quite valuable since its installation. The MP-3 diesel engineer 
stated that the information provided by this system could adequately replace several of 
the current inspection items. The diesel engineer also suggested use of additional 
monitoring devices not Curreiitly in place at MP-3 that could adequately replace current 
inspection items [21]. 

4.3.5 Periodicity Extension 

The final question posed to the diesel engineer was that of the periodicity 
extension of individual items. Periodicity extension refers to the lengthening of the 
current eighteen month time-base of the ROI for specific requirements. This would apply 
to items that the diesel engineer feels are necessary for the safe operation of the diesel but 
the inspection requires too frequently. The diesel engineer often recommended 
periodicity extension in conjunction with engine analysis. 

4.4 ROI Recommendations 

Tables 4.1 - 4.3 display the diesel engineer’s expert opinion and assessment of 
each inspection item. Each table represents one of three categories of alteration that MP- 
3 should make on the individual inspection items. The first table lists those inspection 
items that provide net benefits to the diesel in their present manner. The diesel engineer 
recommended that no changes be made to these items. Table 4.2 contains those 
inspection items that the diesel engineer feels will benefit from periodicity extension. 
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The final table, Table 4.3, contains inspection requirements that the engineer feels will 
benefit from replacement with monitoring or sensing equipment. 

Each of the three tables is organized in an identical manner. The first column lists 
the inspection items currently required by Colt-Pielstick. There are two item numbers 
missing from the table. The numbering of the items begins at number two because item 
one refers to performance of regular maintenance required of the diesel operators and is 
not an actual inspection item. Item 18 is missing from the table because the manufacturer 
no longer requires this item and current literature does not contain the updated numbering 
system. Item three is in both Tables 4.2 and 4.3 as the engineer felt that it could benefit 
from the installation of sensing equipment as well as periodicity extension. 

The second column of each table contains a brief description or commentary on 
the inspection requirement. In some cases, this commentary describes the inspection 
process if it is unusual or unclear. In other cases, the commentary sets forth the objective 
of a particular inspection item. 

The final column contains the recommendations of the diesel engineer. After 
careful consideration of the six questions outlined in Section 4.3, he delivered a 
commentary that outlines problems with the current inspection. This column contains the 
engineer’s proposed solution to improve the inspection item. 

The diesel engineer recommended that eleven of the nineteen inspection items 
remain imaltered (Table 4.1). The MP-3 engineer noted that inspection of the crankcase 
end of all cylinder liners (Item 12) is an item that provides limited knowledge to the 
inspectors. He did not recommend the item for alteration, however, because of the 
limited resources of time and persoimel required to perform the inspection. The diesel 
engineer identified two items of the nineteen assessed as intrusive inspections that MP-3 
should not alter in any manner. The first such example is Item 13 which requires 
checking the main bearing cap tightness. Despite the intrusive nature of this inspection, it 
is vital to ensure that caps are kept tight in order to avoid bearing damage. The second 
inspection is Item 21 which requires a static test of the overspeed trip mechanism. 
Although the static test is intrusive, it has no adequate replacement and should continue 
as part of the ROI in its original form. 
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Item # 
From 
Current 
ROI 

Checklist 

Current Colt-Pielstick 
Requirement 

Description 

MP-3 Diesel Engineer 
Recommendations 

5 

Drain, flush and refill outboard 
bearing with approved oil. 

The outboard bearing is subjected to oil 
replacement to ensure a high quality and 
appropriate level of oil is present within 
the equipment. 

No change recommended. 

6 

Check tightness on all foundation, 
block to base, oil and water line 
bolts. 

Bolt checking tasks involve verifying that 
they are wrench tight. Properly tightened 
bolts prevent leakage and insure the 
integrity of the diesel. 

No change recommended. 

7 

Check sample of rocker lube oil 
for condition and contaminants. 

A comprehensive assessment of oil quality 
can identify numerous problems within 
the EDG including water leaks and 
corrosion. 

No change recommended. 

8 

Check turbocharger inlet casing 
and turbo casing water passages 
for scale. The inside surface of 
these casings is the best indication 
for adequacy of water treatment. 

Proper water treatment is essential because 
it protects the hardware of the diesel from 
corrosion. 

No change recommended. 

10 

Check all safety and shutdown 
controls for appropriate pressures 
and temperatures. 

Safety systems on the diesel guarantee 
that the EDG will shut down if it is 
operating in a dangerous condition. 

No ch^ge recommended. 

12 

Inspect the crankcase end of all 
cylinder liners. 

This inspection is performed to identify 
debris that has entered this space. 

This inspection is not 
intrusive but has limited 
usefulness. 

13 

Check main bearing cap tightness 
(9950-1100 psi hydraulic) and 
side bolts (hammer tight). 
Alternately confirm cap tightness 
to frame and saddle to .0015 feeler 
gauge. 

The consequence of loose bolts in this 
area can be serious. The bolts are checked 
for proper tightness to prevent bearing 
damage. 

This inspection is 
intrusive but should be 
performed. 

16 i 

1 

Check connecting rod bearing 
clearances with feeler gauge. 

This check determines the need for 
bearing replacement and is now performed 
visually. 

No change recommended. 

17 1 

Inspect all ledges and comers in 
crankcase for debris which could 
indicate other mechanical 
problems. Confirm all cotters, 
safety wire and lock tabs are in 
place. 

This visual inspection identifies debris 
that may cause future problems within the 
diesel. 

No change recommended. 

20 

Drain and refill alternator bearing 
lube sump. If oil has 
contaminants, pull bearing cap 
and inspect journal. 

A comprehensive assessment of oil quality 
can identify numerous problems within 
the EDG including water leaks and 
corrosion. 

No change recommended. 

21 

Inspect and clean (if required) 
overspeed trip mechanism. Check 
operation according to overspeed 
trip test instructions. 

This inspection is a static test that ensures 
the trip mechanism moves smoothly. This 
equipment performs an important safety 
role within the diesel. 

This inspection is 
intrusive but beneficial 
and should not be altered. 


Table 4.1 Refueling Outage Inspection Items Not Recommended for Alteration 
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Item # 
From 
Current 
ROI 

Checklist 

Current Colt-Pielsfick 
Requirement 

Description 

MP-3 Diesel Engineer 
Recommendations 

3* 

Remove, disassemble, clean 
and repair all air start valves 
and air start distributors. 
Clean/replace air start 
distributor filter. 

Engine starting is 
accomplished by the action of 
compressed air on the 
cylinders in their proper firing 
order. All valves and 
distributors must be 
completely disassembled and 
cleaned. 

Short runs of the EDG tend to 
leave “gunk” which this 
inspection reveals. However, 
problems in this area can be 
revealed with the aid of 
temperature sensors on the air 
supplv line. A periodicitv 
extension to once everv other 
refuel would be beneficial. 

4 

Drain and refill governor and 
turbochargers with approved 
oil. 

The governor and 
turbochargers are subject to 
oil replacement in order to 
ensure a high quality and 
appropriate level of oil is 
present within the equipment. 
Oil lubrication is an essential 
part of a comprehensive 
maintenance plan. 

This practice is not intrusive or 
time consuming but does 
provide an opportunity for 
human error. Periodicitv 
extension would be beneficial 
here. 

14 

Visually examine gear train 
and drives, cam shafts and 
bearings, push rods and 
rocker arms. 

A visual check of these areas 
allows for the identification of 
excessive wear or damage. 

The bearing check is an 
intrusive process. The 
periodicitv should be extended 
to every other refuel. 


Table 4.2 Refueling Outage Inspection Items Recommended for Periodicity Extension 
(*Item 3 also appears in Table 4.3 as it benefits from both periodicity extension and installation of sensing 
equipment.) 

Table 4.2 lists the three items that the MP-3 diesel engineer identified as 
benefiting from periodicity extension. These are items where the engineer judges that the 
current ROI requires being performed too frequently — to the detriment of the diesel 
itself Item three requires the inspector to disassemble and clean all of the air start valves. 
Although this type of inspection can reveal problems with the valves, engine analysis can 
also reveal this information without the intrusiveness of disassembly. However, periodic 
cleaning of the air start valves is still beneficial and the new inspection should require 
cleaning every other refueling outage as a maintenance procedure. 

Item four requires the inspection team to drain and refill the governor and 
turbocharger oil. Although changing oil is a good maintenance practice, the small 
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number of hours that the diesel operates does not justify changing the oil every refueling 
outage. The diesel engineer judged that extension of the oil change to once every other 
refueling outage will not noticeably degrade the oil quality. 

Historically, the visual inspection of the camshaft bearings has foimd scoring on 
only one occasion. Further investigation has determined that this scoring occurred during 
the original startup of the diesel. Subsequent inspections have found no problems and the 
diesel engineer recommended that this inspection be performed only once every other 
refueling outage. 

It is important to note that periodicity extension does not necessarily mean that 
MP-3 should only perform an individual item every other refueling outage. In some 
cases, the inspection team can split a task between two refueling outages. For example, 
the team can inspect half of the air start valves during one refueling outage leaving the 
other half for inspection during the next ROI. This practice promotes continuity and 
standardization between subsequent ROIs and allows the operator performing the 
inspection to be more familiar with the mechanics of disassembly. 

MP-3 has implemented several monitoring and trending programs since the 
diesels were first operated. Monthly lubrication oil analyses, start time trending, and 
cylinder temperature trending all provide alternate, indirect methods for determining the 
existance of possible engine problems. The diesel engineer expressed the importance of 
parallel execution of all of these programs that in many cases provide more information 
about the status of the diesel than visual or disassembly inspections. Lubrication oil 
analyses is especially important because it can reveal internal engine water leaks and can 
even identify excessive parts wear or bearing problems if analysis detects metal particles 
in the sampled oil. 

Table 4.3 summarizes the alterations that the diesel engineer judges are justified 
with the use of current monitoring and trending programs that are currently available to 
diesel operators. MP-3 already utilizes several of these progreims and the diesel engineer 
hopes to implement others in the future. Two benefits realized through use of monitoring 
and sensing equipment are the reduction in the number of intrusive practices and the 
reduction in the numbers of avenues for human error [21]. 
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Item # 
From 
Current 
ROI 

Checklist 

Current Colt-Pielstick 
Requirement 

Description 

MP-3 Diesel Engineer 
Recommendations 

2 

Remove and check injection 
nozzles for operation and 
opening pressure. 

Injection nozzles spray fuel into 
the cylinder. The nozzles are 
subjected to a static test which 
assesses their spray pattern and 
opening pressure. Failure of the 
injection nozzle or pump will 
result in an increased loading on 
the other pistons to maintain 
engine power output. 

The static test currently performed is 
not an accurate simulation of actual 
run conditions. Engine analvsis 
would be more beneficial especially 
since this is and extremely intrusive 
practice. Also, there is evidence 
that the engine is not sensitive to 
minor failures of the injectors. 

3* 

Remove, disassemble, clean and 
repair all air start valves and air 
start distributors. Clean/replace 
air start distributor filter. 

Engine starting is accomplished 
by the action of compressed air on 
the cylinders in their proper firing 
order. All valves and distributors 
must be completely disassembled 
and cleaned. 

Short runs of the EDG tend to leave 
“gunk” which this inspection 
reveals. However, problems in this 
area can be revealed with the aid of 
temperature sensors on the air 
supply line. A periodicity extension 
to once every other refuel would be 
beneficial. 

9 

Check for tightness of exhaust 
manifold flange bolts to cylinder 
head (165-195 ft.lbs). 

Proper tightness of bolts insures 
that significant exhaust leakage 
does not occur. 

This practice is time consuming and 
could be replaced with exhaust 
leakaee monitoring. 

11 

! 

Borescope all cylinder liners. 

Borescoping of the cylinder liners 
involves inserting a viewing 
device into the individual 
cylinders. The borescope allows 
the inspector to identify areas of 
excessive wear. 

This practice is unnecessary and 
extremely intrusive. No problems 
have been identified in the MP-3 
diesels with this method and the 
liners always look brand new, 

Eneine and oil analvsis as well as 
monitoring of the firing pressure 
would reveal the problems this test 
was designed to identify. 

15 

Check crankshaft alignment and 
bearing clearances. 

This test provides information 
about bearing condition and 
alignment of the crankshaft. 

Proper alignment is essential for 
operation of the diesel. 

Web deflection is very intrusive and 
difficult to perform. It has never 
revealed problems at MP-3. 

Vibration analvsis and oil analvsis 
would both reveal any problems. 

19 

Check alternator coils and poles 
for indication of movement 
(visual). 

This inspection reveals problems 
caused by arcing within the diesel. 

This inspection is not intrusive to 
the internals of the diesel but 
requires a great deal of outer 
disassembly to access the area. This 
practice is veiy time consuming and 
could be replaced with resistance 
monitorine. 


Table 4.3 Refueling Outage Inspection Items Recommended for Replacement with 
Engine Analysis, Monitoring, or Sensing Activities (*1161113 also appears in Table 4.2 as it 
benefits from both periodicity extension and installation of sensing equipment.) 


Monitoring and sensing techniques have some disadvantages and costs. 
Introduction of new equipment into the system requires retraining of the operators. For 
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example, proper and rigorous training of diesel operators is necessary before MP-3 
implements the new equipment. Also, the equipment itself may malfunction and provide 
incorrect readings. In order to combat malfunctioning sensors, the diesel operators must 
install multiple apparati in order to provide redundant, and therefore more reliable, 
readings [3]. 

4.4.1 ROI Recommendations Summary 

The MP-3 diesel engineer is very familiar with the operational history of the two 
EDGs in question. His recommendations are based on extensive experience and first¬ 
hand application of the Colt-Pielstick requirements. The ROI alterations listed in Tables 
4.2 and 4.3 drastically reduce the intrusiveness of the current overhaul and place 
increased reliance on monitoring and sensing equipment. 

4.5 Recommendation Comparison 

In order to assess the value of the recommendations made by the MP-3 diesel 
engineer, we solicited additional opinions from sources within the nuclear industry. The 
first set of opinions comes from the diesel engineer at Millstone 2 (MP-2) [23]. His 
opinions concerning the individual inspection items closely agree with those made by the 
MP-3 diesel engineer. We also reviewed a second set of recommendations for ROI 
changes from the EDG Owners' Group and discovered several similarities with the 
proposed alterations [24]. 

4.5.1 MP-2 Diesel Engineer 

We obtained an additional expert opinion concerning the Colt-Pielstick ROI from 
the diesel engineer at MP-2 in an effort to assess the consistency of the recommendations 
made by the MP-3 engineer. The MP-2 diesel engineer has extensive EDG experience 
and fills the same position as the MP-3 engineer on the ROI team. We selected him for 
his expertise and because he oversees the MP-2 diesels in a similar management and 
operational environment as that of MP-3. Additionally, the diesel operators and laborers 
utilized during the ROI activities in MP-2 are trained similarly to those working in MP-3. 
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Although Colt-Pielstick manufactures the diesels utilized in MP-2, the EDGs are 
opposed piston diesels, which make them fundamentally different from those utilized in 
MP-3. This structural difference results in a distinct set of ROI requirements that are 
difficult to compare to the MP-3 requirements. We therefore asked the MP-2 diesel 
engineer to review the MP-3 requirements and give his opinion on the inspection items 
based on his general diesel expertise. Using the same six questions as a guide, the MP-2 
diesel engineer proposed the recommendations found in Table 4.4. 


Item # 
From 
Current 
ROI 

Checklist 

Current Colt-Pielstick Requirement 

MP-2 Diesel Engineer 
Recommendation 

2 

Remove and check injection nozzles for .. 
operation and opening pressure. 

One fourth of the injectors usually fail the 
“pop” test. However, the engine does not 
appear to be sensitive to these failures. Beta 
RECIPTRAP vibration readings may be a more 
beneficial test. 

3 

Remove, disassemble, clean and repair all air: 
start valves and air start distributors. 
Clean/replace air start distributor filter. 

The periodicity of this inspection should be 
changed to 36-48 months. 

4 

Drain and refill goyemor and.turbochargers 
with approved oil. 

The governor oil should be replaced every 36- 
48 months. 

10 

Check all safety and shutdown controls for 
appropriate pressures and temperatures. 

Recommend periodicity change to 36 or 48 
months. 

11 

Borescope all cylinder liners. 


No change. Beta RECIPTRAP may reveal 
problems with liners. 

15 

Check crankshaft alignment and bearing , 
clearances. . 


Recommend extension of periodicity to 36 
months. 

19 

Check alternator coils and poles for indication 
of movement (visual). 

Opposed piston diesels do not have an access 
problem but other diesels may experience 
difficulty. 

21 

Inspect and clean (if required) overspeed trip 
mechanism. Check operation according to 
overspeed trip test instructions. 

Periodicity should be extended. 


Table 4.4 MP-2 Diesel Engineer Recommendations for EDG Refueling Outage Inspection Changes 
[Shaded items indicate agreement with recommendations made by the MP-3 diesel engineer] 


The MP-2 diesel engineer identified eight inspection items that he judged would 
benefit from alteration. This number is identical to that identified by the MP-3 diesel 
engineer. The six shaded items in Table 4.4 are requirements that both of the diesel 
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engineers identified as candidates for alteration. The recommendations for these six 
items are not exactly the same but have a similar nature. The alterations suggested by the 
MP-2 engineer consisted mostly of recommendations for periodicity extension. This 
contrasts with the MP-3’s alterations which relied more heavily on engine analysis and 
monitoring. 

The MP-2 diesel engineer was quick to mention that the diesels at MP-2 were not 
as rigorously monitored as those in MP-3. This may account for the lack of engine 
analysis replacement in his recommendations. The MP-2 diesel engineer did, however, 
attempt to note items that he judged could be replaced by engine analysis. For example, 
he listed the borescoping required by Item 11 as a possible candidate for replacement by 
engine analysis. 

The MP-2 diesel engineer judged that the current Colt-Pielstick requirements 
subjected the diesels to unnecessary intrusiveness that alteration of the ROI would 
reduce. He also agreed that the recommendations made by the MP-3 diesel engineer were 
appropriate for the MP-3 diesels. 

4.5.2 Fairbanks Morse Owners’ Group 

MP-3 is a member of the Fairbanks Morse Owners’ Group (FMOG), an 
organization of utilities that utilize Colt-Pielstick diesels (Fairbanks Morse manufactures 
Colt-Pielstick diesels). FMOG recently released a set of proposed changes to the ROI 
requirements [24]. These will soon be presented to Colt-Pielstick for adoption. The 
recommendations made in this document are confidential at this time but they agree 
closely with the recommendations made by the MP-3 diesel engineer. This is not 
surprising as the MP-3 diesel engineer assisted to a limited extent in the preparation of 
these recommendations. 

4.5.3 Summary 

Comparison of the recommendations of the MP-2 diesel engineer and the FMOG 
to the ROI alterations proposed by the MP-3 diesel engineer reveals that all agree that 
MP-3 should alter its inspection requirements. The MP-2 diesel engineer and the 
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Owners' Group both recommend a majority of the items recommended for alteration by 
the MP-3 engineer. This demonstrates that the MP-3 engineer’s recommendations are 
valid alterations which address inspection items that contradict fundamental engineering 
practices. 

The MP-3 diesel engineer’s familiarity with the operational history of the MP-3 
diesels may account for recommendations for specific item alterations that the MP-2 
engineer and FMOG did not recommend. For example, the MP-3 engineer recommended 
an increase in the periodicity of camshaft bearing inspections that the MP-2 diesel 
engineer did not suggest. The MP-3 diesel engineer based this recommendation upon the 
operational history of the EDGs in MP-3 with which the MP-2 diesel engineer is not 
familiar. 

We henceforth treat the MP-3 diesel engineer’s ROI alterations as constituting a 
reference set of recommendations, based upon sound engineering principles that increase 
the reliability of the diesels. 

4.6 Conclusion 

The MP-3 diesel engineer has a comprehensive and extensive knowledge of the 
EDGs at MP-3. His recommendations for the ROI fell into one of three categories: 1) 

No change, 2)periodicity extension, or 3)engine analysis, monitoring, or sensing 
replacement. Of the nineteen items currently required by Colt-Pielstick, the MP-3 
engineer recommended the alteration of eight of them. Comparison of additional expert 
opinion recommendations to those made by the MP-3 engineer revealed agreement with 
his alterations. The ROI resulting from his recommendations is a streamlined inspection 
set that is much less intrusive into the diesel and relies heavily upon engine analysis, 
monitoring and sensing for indication of EDG degradation. We utilize the improved 
refueling outage inspection (IROI), summarized in Table 4.5, throughout this work as a 
model for diesel reliability improvement. 
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IROI 
Item # 

IROI Requirement 

1 

Remove, disassemble, clean and repair half of all air start valves and air start distributors. 
Clean/replace associated air start distributor filter. 

2 

Drain and refill governor and turbochargers with approved oil every other refuel. 

3 

Drain, flush and refill outboard bearing with approved oil. 

4 

Check tightness on all foundation, block to base, oil and water line bolts. 

5 

Check sample of rocker lube oil for condition and contaminants. 

6 

Check turbocharger inlet casing and turbo casing water passages for scale. The inside 
surface of these casings is the best indication for adequacy of water treatment. 

7 

Check all safety and shutdown controls for appropriate pressures and temperatures. 

8 

Inspect the crankcase end of all cylinder liners. 

9 

Check main bearing cap tightness (9950-1100 psi hydraulic) and side bolts (hammer tight). 
Alternately confirm cap tightness to frame and saddle to .0015 feeler gauge. 

10 

Visually examine gear train and drives, cam shafts, push rods and rocker arms. Visually 
examine camshaft bearing every other refuel. 

11 

Visually check connecting rod bearing clearances. 

12 

Inspect all ledges and comers in crankcase for debris which could indicate other mechanical 
problems. Confirm all cotters, safety wire and lock tabs are in place. 

13 

Drain and refill alternator bearing lube sump. If oil has contaminants, pull bearing cap and 
inspect journal. 

14 

Inspect and clean (if required) overspeed trip mechanism. Check operation according to 
overspeed trip test instmctions. 


Table 4.5 Final Set of Improved Refueling Outage Inspection (IROI) Requirements 


41 






























Chapter 5 -- Non-Nuclear Power Industry EDG Standards and 
Requirements 


5.1 Introduction 

The nuclear power industry is not the sole operator of diesel engines for 
emergency or standby use. Diesels are used for emergency backup power throughout the 
country in hospitals, laboratories and buildings where elevator use is critical. The Federal 
Aviation Administration maintains EDGs at its air traffic control centers in order to 
provide backup power for vital equipment in case of a loss of offsite power. The US 
Navy uses EDGs onboeird nuclear surface ships and submarines in order to provide power 
to safety systems if the reactor is shut down. All of these applications rely upon the EDG 
in some way to prevent the loss of human life or property making their reliable operation 
critical. 

Although EDG experts within the nuclear power industry agreed that the ROI 
requirements are intrusive and performed too frequently, they generally had little 
knowledge of how these requirements compared to EDG practices outside the nuclear 
power industry. A survey of experts in the US Navy, the FAA and non-nuclear industries 
revealed that they generally agreed with the assessment of the nuclear EDG experts. The 
EDGs in these various industries undergo overhaul rarely, if ever. A line by line 
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comparison of the eighteen month inspection requirements for the nuclear power 
industry, the FAA, and the US Navy reveals that the nuclear power inspection is much 
more rigorous and intrusive to the diesel than inspections required by the others. 

Despite less-rigorous and intrusive inspections, the other groups using EDGs 
appear to be quite satisfied with the performance and reliability of their respective diesels. 
This knowledge, in conjunction with the line-by-line ROI comparison, supports the 
nuclear power industry expert opinion that the EDGs willl benefit from alteration of the 
intrusive inpections. 

5.2 US Hospitals 

A loss of commercial power in a hospital can be disastrous for patients depending 
upon electrically powered life-sustaining equipment. Emergency diesel generators 
literally become a lifeline for these people during a power outage. For this reason, the 
EDGs used in hospitals are governed by numerous safety codes which set forth 
maintenance and testing requirements designed to keep the diesel operating at a high 
level of reliability [25]. 

Maintenance engineers in two Boston area hospitals answered questions 
concerning the diesels that they supervised [26, 27]. Both engineers have extensive 
experience with the diesels in their care and are familiar Avith the operational history of 
each of the diesels. The EDGs used in these hospitals are manufactured by various 
vendors and vary greatly in age and load capacity. The operators of these diesels, 
however, subject all of the diesels to the same testing and maintenance requirements. 

Hospital employees perform most of the maintenance and testing on their diesels 
although each of the hospitals also hires a certified generator maintenance contractor to 
fulfill periodic additional maintencince needs. The contractor only performs an overhaul 
on these diesels when testing or routine maintenance reveals a problem. One of the 
maintenance engineers recalled only one overhaul taking place at his hospital over a 
period of twenty-two years. That particular diesel needed an overhaul as a result of 
numerous instances of unloaded operation. 
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When asked about the source for the diesel testing and maintenance requirements, 
both engineers stated that they have some freedom to set their own requirements. 
However, both stated that they understand the minimum standards to which they must 
adhere are set by the Joint Commission on Accreditation of Healthcare Organizations 
(JCAHO). 

5.2.1 Code Requirements 

An investigation of the JCAHO requirements for testing and maintenance of 
EDGs revealed that this organization is one of three groups that dictate guidelines for safe 
operation of emergency diesel generators in hospitals. These three groups provide fairly 
consistent requirements that they encourage but do not require each hospital to adopt. 

5.2.1.1 The JCAHO 

The JCAHO is a national accreditation organization whose mission is to improve 
the quality of care provided to the public. Hospitals seek accreditation from this 
organization in order to prove to the public, insurance companies, and others that it 
adheres to a set of standards recognized as those belonging to a quality healthcare 
organization. The JCAHO standards focus mainly on EDG testing and leave 
maintenance plans to the individual hospital [25]. 

5.2.1.2 The National Fire Prevention Association 

The National Fire Prevention Association (NFPA) is also a voluntary, non¬ 
governmental association dedicated to fire safety and related hazards. The NFPA has 
established two codes that affect the operation of EDGs in hospitals. The first code deals 
specifically with healthcare facilities while the other is a general standard for emergency 
and standby power systems. Testing requirements set forth by these codes are very 
similar to those required by the JCAHO. The NFPA also stresses the importance of 
development of a preventive maintenance program and publishes a set of comprehensive 
periodic maintenance items that it recommends for the safe operation of EDGs [28]. 
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5.2.1.3 The National Electrical Code 

The final source of requirements for EDGs in hospitals is the National Electrical 
Code (NEC). The guidelines and testing set forth by the NEC are extremely general and 
compliance with the JCAHO and NFPA requirements ensure compliance with NEC 
standards [25]. 

5.2.2 Code Requirement Compliance 

None of the organizations listed in Section 5.2.1 enforce the standards that they 
propose for safe operation of EDGs. Compliance by the individual hospital is voluntary 
although some states require accreditation for fulfillment of licensing requirements. 

Also, a satisfactory accreditation status of a hospital may favorably influence the liability 
insurance premiums of the hospital [29]. In this respect, hospitals abide by JCAHO 
standards because of economic motivation. We observe it is also reasonable to assume 
that hospitals comply with JCAHO and NFPA standards out of a moral obligation to 
preserve human life. 

5.2.3 Hospital EDG Summary 

Although EDG testing and maintenance requirements are not as strenuous as 
those required in nuclear power plants, engineers that oversee the hospital diesels judge 
that their generators perform at a high level of reliability even though they typically 
cannot quantify its value. Hospitals rarely, if ever, perform overhauls on their diesels. 
Although the JCAHO, the NFPA, and the NEC do not rigorously enforce their standards, 
they do provide a standard guideline for all diesel engineers to adhere to regardless of 
diesel manufacturer or diesel size. Individual maintenance plans and overhaul schedules 
are left to the discretion of the diesel engineer charged with the direct oversight of the 
individxxal EDGs. 

5.3 The Federal Aviation Administration 

The Federal Aviation Administration (FAA) is the federal agency charged with 
oversight of all civilian air travel, both public and private, in the United States. Operating 
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under the Department of Transportation, the FAA’s primary mission is to establish and 
enforce standards that ensure safe operation of all aspects of the aviation system. 
Emergency diesel generators operated by the FAA contribute to the safe operation of the 
National Airspace System [30]. 

Facilities that must maintain aids to air navigation and traffic control utilize EDGs 
at all times and under a variety of conditions. If a control site loses offsite commercial 
power, EDGs and emergency batteries are the only defense against failure of the facility. 
If a facility fails to operate, air traffic in that area will slow considerably as control is 
passed to adjacent centers. This situation took place on December 18, 1997 at a control 
center in Kansas City when a worker inadvertantly shut down both halves of the redudant 
primary power circuit system while performing routine maintenance. Although the 
EDGs were operational, the nature of the human error prevented both the diesels and the 
batteries from providing power to the control station [31]. This type of failure results in 
inconvenience for air travelers and a loss of revenue for the airlines. A more drastic 
consequence of a failed facility is the possibility of an air crash due to loss of approach 
radar or communications. Thus, high reliability and safe operation of the EDGs are 
paramount to the FAA [32]. 

5.3.1 General Description 

The FAA owns, operates and maintains approximately 3000 standby generators in 
the US. A majority of the generators operated by the FAA are diesel powered and range 
in size from 1.5kW to more than 550kW. Most of these units have a fully automatic start 
system designed to assume the facility load if interruption of the prime offsite power 
occurs. The FAA utilizes continuous monitoring of operating EDGs to assess the engine 
for dangerous overspeed, excessive load, high temperature and low oil pressure. 

Readings outside of the allowed tolerances set for these parameters will automatically 
shut down the diesel [30]. 
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5.3.2 Maintenance Requirements 

Maintenance guidelines and requirements for the diesels operated by the FAA are 
set forth in Order 6980.1IB: Maintenance of Engine Generators [30]. This order is a 
comprehensive guideline that outlines procedures for proper maintenance and inspection 
of all engine generators utilized by the FAA. The order contains detailed diesel generator 
information as well as a section tailored specifically for diesels in standby operation. 

An initial review of the maintenance requirements detailed in this order reveals 
what appears to be an enormous number of required action items. However, many of 
these items are testing requirements which we eliminated for comparison purposes. The 
remaining items, while thorough, are liberally peppered with visual checks and 
maintenance items that should be performed “if required.” 

One notable maintenance requirement that fits into the “if required” category is 
the overhaul of EDGs and other diesels operated by the FAA. Item 204, which outlines 
this requirement reads as follows: 

204. ENGINE OVERHAUL. Check to determine need for overhaul of 

engine, accessories, and turbocharger. Overhaul if required [30]. 

The FAA does not determine this need for an overhaul at a pre-determined interval. 
However, they do require that a qualified technician make this assessment and 
subsequently determine the depth of a particular needed overhaul. The author of Order 
6980.1 IB stated that while FAA diesels sometimes require major maintenance, overhauls 
are infrequently, if ever performed. He stated that proper maintenance of the diesels 
ensures that by the time FAA diesels qualify for an overhaul, the age of the diesel usually 
justifies replacement of the entire diesel [32]. 

5.3.3 Enforcement of Standards 

The FAA is in a unique situation in that it sets its own standards, implements 
those standards, and then enforces those standards upon itself. In order to combat a 
possible conflict of interest, the FAA periodically dispatches technical evaluators to their 
facilities to gauge the level of compliance of individual facilities with FAA requirements. 
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One such technical evaluator stressed that although this program provides a certain level 
of enforcement, its main purpose is to improve the overall performance of the diesels. 

The FAA technical evaluator also observed that the FAA’s inherent ownership of 
its diesels is a different relationship from that of the NRC and the utility EDGs. While 
the FAA regulates and enforces its rules upon itself, the NRC regulates and enforces 
standards upon the utilities which are independent, separate entities. The technical 
evaluator judged that this difference may account for the FAA’s more liberal approach to 
the frequency of diesel overhauls [33]. In other words, since the FAA has direct 
oversight, it can better judge the specific maintenance needs of its diesels. By contrast, 
the NRC may have extremely stringent rules in order to compensate for utilities with 
relatively lax standards. 

Although the FAA and nuclear utility EDGs are regulated in contrEisting ways, the 
end relationship is not profoundly different. In both cases, the FAA and the individual 
utilities both have an inherent interest in the good performance of their diesels regardless 
of the method of regulation. Therefore a more liberal EDG overhaul frequency may be 
appropriate for individual utilities. 

5.3.4 FAA EDG Summary 

The FAA demands adherence to a specific, general set of EDG periodic 
maintenance requirements regardless of the individual manufacturer of the diesel. These 
general maintenance requirements consist mainly of visual checks and maintenance that 
diesel operators should perform if they identify a need to do so. The FAA performs 
overhauls rarely, if ever. Despite this apparently liberal approach to diesel maintenance, 
FAA diesel generator experts feel that the performance and reliability of these diesels are 
acceptable. Unfortunately, the FAA has conducted no studies that track the reliability of 
these diesels. However, the FAA cannot directly link the death of a single human or an 
aircraft crash to the failure of an EDG at an FAA air traffic control facility. 
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5.4 The United States Navy 

The use of EDGs by the US Navy to provide backup power for nuclear reactors on 
board ships is notably similar to the use of EDGs in the nuclear industry. The Navy’s 
long history of nuclear power utilization has provided ample opportunity for reassessment 
and continual improvement of its EDG maintenance requirements. A review of the 
Navy’s current requirements reveals a comprehensive maintenance program as well as a 
detailed inspection program that explicitly emphasizes non-intrusive practices. 

5.4.1 Maintenance History 

Until the late 1950s, the US Navy operated under a very reactive-type 
maintenance environment known as progressive maintenance. Organized maintenance 
plans were rare and Navy personnel only repaired equipment when broken or 
malfunctioning [34]. Planned preventive maintenance programs became more widely 
adopted in the early 1960s [35]. These programs were also fairly reactive in that they 
established maintenance requirements based upon individual events zis failures occurred 
instead of developing a generalized program that workers could apply to all equipment. 

The Navy established preventive maintenance programs because of a belief that 
this type of maintenance would combat the decreased reliability associated with the 
increasing age of equipment. However, studies done in the mid-1960s revealed that 
unreliability did not increase dramatically with the age of the equipment. In fact, the 
largest problem identified with these studies was the problem of high failure rates of 
equipment following maintenance (infant mortalities). This discovery prompted the navy 
to search for a more systematic approach to developing preventive maintenance task 
needs. 

In the early 70’s, the Department of Defense adopted a maintenance technique 
first utilized by the airlines in the maintenance program for the Boeing 747. This 
technique utilized a decision tree to identify critical maintenance tasks which affected the 
unreliability of operations. This efficient and systematic approach to preventive 
maintenance was first applied by the Navy to its newly designed aircraft. Shipboard 
implementation of this method occurred in 1978 and was termed Reliability-Centered 
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Maintenance (RCM) by the Navy. Currently, RCM still forms the basis for maintenance 
performed on shipboard Naval equipment. 

The objective of RCM is to maintain the inherent reliability of the equipment 
design. RCM avoids focusing directly on subsystems and individual equipment and 
instead concentrates on identifying functionally significant items. Maintenance planners 
must then determine maintenance tasks for these items based on an analysis of their 
function and dominate failure modes. Once the planners select a task, they can then 
determine the specifics of an inspection item like its periodicity. Today these 
maintenance tasks fall into the following three categories: l)time-directed tasks, 
2)condition-directed tasks, or 3)the do nothing option. Personnel must perform time- 
directed tasks at specific intervals without consideration of other variables. Condition- 
directed tasks are performed by workers at specific intervals or after a number of specific 
events and then observed conditions are compared with an appropriate standard. Finally, 
RCM may determine that the best maintenance strategy for a particular item may be for 
no maintenance on a particular item. 

In order to develop a schedule for condition-directed tasks, the Navy utilized a 
tool called age-reliability analysis. Age-reliability analysis is a set of techniques that 
identify the relationship between system or equipment probability of failure and elapsed 
times since its manufacture or last complete overhaul. The Navy used this technique in 
the early 1980s to establish maintenance schedules for the few maintenance tasks that 
were not time-based. 

Recently, the Navy announced that it will move increasingly towards condition- 
based maintenance. In conjunction with this, the Navy resumed work on age-reliability 
analysis. A report produced on this subject in 1993 foimd evidence to support that 
premature failure following overhaul is common and that evidence of equipment wearout 
necessitating complete overhaul of equipment is uncommon. In addition, the study found 
that routinely-authorized overhauls seldom prevent equipment failures [35]. 
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5.4.2 Diesel Generator Maintenance 

Although the history of diesel generator maintenance roughly follows the overall 
maintenance history of the Navy, there is one important difference. In 1987, the Navy 
established a formal program to provide routine inspections of all diesel engines by 
qualified Diesel Engine Inspectors (DEI). The Navy established this unique program as a 
result of an acknowledgment by the Navy that a standardized method of assessment was 
needed for this vital piece of equipment. The DEI program is not only a successful 
inspection program but also establishes a central group of experts that Naval personnel 
can call upon to troubleshoot diesel problems at any time [36,37]. 

5.4.3 US Navy Diesel Inspection 

Every operational diesel engine in the Navy’s inventory must imdergo a diesel 
inspection by a certified DEI every 18 months. This comprehensive inspection includes 
the following three phases: 

I) Review of Records — This phase includes a complete review of the engine 
maintenance history, operating logs, trend analysis, and training of the engine 
operators. 

II) Secured Inspection - This is a disassembly inspection of the diesel based on 
the results of the Review of Records. All or part of the Secured Inspection may 
be waived at the inspector’s discretion. If this phase is required, the inspector 
decides the degree of disassembly and conducts a thorough evaluation of the 
internal condition of the engine. 

III) Operating Inspection - The DEI conducts a thorough review of the engine 
operating parameters using appropriate technical manuals as a guide [38]. 

The Secured Inspection phase is similar in makeup to the nuclear industry ROI • 
except that manuals dictating the conduct of this inspection repeatedly emphasize to the 
DEIs that they should “Keep teardown to the absolute minimum required to accomplish 
and adequate inspection [36].” This attitude was also expressed repeatedly by a DEI 
throughout the observation of one such inspection that took place on board a US Navy 
submarine. The DEI conducting this inspection was careful to point out the merits of 
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minimum intrusion to the emergency diesel. He also pointed out non-intrusive 
evaluations of the diesel that can identify possible problems within the diesel [37]. 

One specific issue addressed by the DEI was that of borescoping of the cylinder 
liners. Although horoscope equipment is available within the Navy, inspectors hardly 
ever use this technology because of its intrusive nature. The Navy only horoscopes its 
cylinders if there are indications that a cylinder is malfunctioning, at which point the 
Navy judges that the intrusiveness is justified. 

An additional goal of the DEI program is to reduce the incidence of human error- 
induced failure. Of the few EDO overhauls that the interview DEI could recall taking 
place, a majority of them were required because of some type of human error or intrusion. 
One particular overhaul, which cost the Navy $7.5 million, was attributed to the 
introduction of a candy wrapper into a submarine’s EDO. The Navy hopes that the 
presence of the DEI during the diesel inspection provides a bamer to these types of 
human errors. 

The official DEI handbook contains the Secured Inspection phase worksheet for 
all Colt-Pielstick diesels utilized by the Navy. Although this inspection worksheet 
applies to both standby and propulsion diesels, the DEI tailors the scope and depth of 
each inspection to fit the individual diesel inspection [36]. 

5.4.4 US Navy Automated Diesel Engine Trend Analysis Program 

The US Navy recently implemented the Automated Diesel Engine Trend Analysis 
(ADETA) program on board US ships to provide a means to collect and analyze diesel 
engine operating parameters. ADETA was designed by the Navy to provide a means of 
effectively monitoring engine operation as well as determining the need for corrective 
maintenance and overhaul [39]. 

ADETA is an automated, personal computer-based system that is capable of 
tracking several different engine parameters including exhaust temperature, crankcase 
pressure and vacuum and lube oil pressure. Although this program is capable of 
troubleshooting parcimeters considered outside of established parameter bounds, it has 
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received some criticism for its inability to identify harmfiil trends that remain inside 
allowed parameter bounds. Currently, diesel operators must still identify harmful trends. 

5.4.5 Diesel Overhaul 

The results of the inspection performed by the DEI and information gathered from 
ADETA form the basis for determining the need for a diesel engine overhaul. Navy 
diesel experts stated that such overhauls usually apply only to diesels used for propulsion 
and are rarely performed on emergency diesels. In fact, most Navy EDGs go without an 
overhaul for the life of the ship which can be as long as 30 years. The DEI whom we 
interviewed judged that this excellent record can be attributed to the expertise and 
standardization which the diesel inspection program provides [37,38]. 

5.4.6 Enforcement 

While each Navy ship owns and operates its own EDG, that diesel is subject to 
Navy-wide standards. The DEI, while a member of the Navy, is not subject to the ship’s 
authority. The Navy instituted this arrangement in order to diminish the possibility of a 
conflict of interest between the ship’s leaders and its diesel operators. A failure to 
comply with the diesel inspection program’s requirements can result in the ship being 
removed from active service in the Navy. Although this action may seem drastic, a 
failure of the diesel could result in a loss of life onboard ship or loss of the entire ship. 
Such an event could affect the Navy’s ability to defend the United States against its 
enemies [37]. 

5.4.7 US Navy EDG Summary 

The United States Navy has taken a systematic approach to improving the 
reliability of the EDGs onboard its warships. Maintenance practices have continually 
evolved to incorporate available technology to the point that Navy EDGs rarely need 
overhauls. This can be attributed in part to a comprehensive inspection program that 
emphasizes non-intrusive procedures and provides each diesel with a pool of trained 


53 




experts. This program has produced an impressive record of high availability and has 
attempted to address the problems of non-availability associated with human error. 

5.5 Inspection Requirement Comparison 

Although each of the major non-nuclear industry groups reviewed here differ 
significantly in the ways in which their maintenance and inspection requirements occur, 
they otherwise share fundamental similarities. First, and most importantly, all three 
groups rarely perform overhauls on their respective diesel engines. These groups perform 
inspections regularly but emphasize non-intrusive practices. Many inspection items are 
visual and depend increasingly on use of modem engine analysis equipment. 

All of the similarities cited above contrast distinctly with nuclear power industry 
EDG practices and ROI requirements. Although it would be an exaggeration to term the 
ROI a “major overhaul,” it does require a significant amount of disassembly, being well 
beyond the amount required by the non-nuclear power industry groups. A detailed 
review of individual inspection items revealed that many of the items required by the ROI 
are performed on a discretionary basis in the non-nuclear industry groups. Table 5.1 
presents this comparison. 

The first column of Table 5.1 contains the items identified by the MP-3 diesel 
engineer as benefiting from elimination or change. Numbers listed in this column refer to 
the current ROI numbering system. The second column contains those items found in the 
Navy’s EDG inspection and overhaul requirements that compare with the ROI items. 

The numbered items in this column come from the DEI handbook and must be performed 
by Naval personnel once every 18 months. The remaining items in the second column 
are Navy overhaul requirements. The final column contains FAA maintenance and 
inspection requirements similar to the ROI items. Numbers found in this column are 
maintenance requirement numbers utilized by the FAA. 

A quick survey of Table 5.1 reveals that a majority of the items in the Navy 
column are visual checks or items performed only during a major overhaul. The FAA 
column is also filled with visual checks and items referred to as incidental. The term 
incidental refers to items that the FAA performs on a discretionary basis. Although there 
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is a general trend of non-intrusive or discretionary items in columns two and three, the 
crankshaft measurements are a notable exception. The MP-3 engineer judged that this 
requirement was very intrusive to the diesel and could be replaced with engine and oil 
analysis [21]. The Navy DEI considered the crankshaft measurements to be important to 
his inspection. At this time, however, the Navy does not utilize analysis equipment 
capable of detecting crankshaft problems. 


MP-3 Colt-Pielstick ROI 
Items Recommended for 
Change* 

Corresponding US Navy 
Requirements^ 

Corresponding FAA 
Standby Generator 
Requirements^ 

2. Remove and check injection 
nozzles for operation and 
opening pressure. 

7.a: Check and record injector fuel 
pump timing on at least two cylinders 
on each bank. 

(18 months) 

206.a: Clean and service fuel 
injectors if required. 

(Annually) 

3. Remove, disassemble, clean 
and repair all air start valves and 
air start distributors. 

Install complete set of injection 
equipment. (Major overhaul) 

203.d: Inspect starter. 

(Biennially) 

4. Drain and refill governor and 
turbochargers with approved oil. 

3.a: Visually inspect turbocharger oil 
level and condition of oil through 
sightglasses. (18 months) 

7.b: Check governor oil level and oil 
leakage around base of governor. 
Visually inspect oil condition through 
sightglass. (18 months) 

203 .b: Drain and replace oil in 
hydraulic governor sump every 
two years, or after 200 hours of 
operation, whichever comes 
first. 

9. Check for tightness of 
exhaust manifold flange bolts to 
cylinder head (165-195 fl.lbs). 

4.a: Visually examine exhaust system 
for leaks during operational test. (18 
months) 

201.i: Examine exhaust and 
combustion air systems for 
leaks. (Monthly) 

11. Borescope all cylinder 
liners. 

Remove all cylinder liners. (Major 
overhaul) 

Discretionary 

14, Perform camshaft bearing 
analysis. 

Remove, inspect, and repair/replace 
camshaft bearings. (Major overhaul) 

Discretionary 

15. Check crankshaft alignment 
and bearing clearances. 

2.m: Take a complete set of 
crankshaft deflection readings and 
bearing presses. 

(18 months) 

Discretionary 

19. Check alternator coils and 
poles for indication of 
movement (visual). 

No reference. 

Discretionary 


Table 5.1 Refueling Outage Inspection Items Recommended for Improvement Listed in 
Comparison to Practices in Other Industries Employing EDGs 
('current ROI requirements [16] ^numbering refers to items found in Navy Diesel Engine Inspection 
handbook [35] ’numbering refers to items found in FAA maintenance manual[30]) 
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5.6 Summary 

A review of non-nuclear industry EDG inspection, maintenance, and overhaul 
requirements reveals that their programs emphasize non-intrusive, visual inspections. 
When contrasted with the ROI requirements at MP-3, these observations validate the 
nuclear experts’ opinions that the ROI items are too intrusive and based upon unsound 
engineering practices. 
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Chapter 6 -- ROl Implementation Risk and Reliability 
Implications 


6.1 Introduction 

The project on Integrated Models, Data Bases and Practices Needed for 
Performance-Based Safety Regulation focuses on three practices that affect the reliability 
of the EDGs and their related systems as seen in Table 6.1. Monitoring, testing, and 
inspecting are common practices utilized in numerous engineering, applications. Each of 
these practices are utilized extensively for maintaining the diesels at MP-3. We carefully 
reviewed the practices currently in place at MP-3 and proposed changes in these practices 
based on industry comparison and expert opinion. Subsequent risk and reliability 
analyses were then performed in order to identify potential improvements resulting from 
the altered practices. This chapter presents the risk and reliability implications of altered 
inspection practices. Dulick’s report details the risk and reliability implications of altered 
monitoring and testing practices [3]. 

Our survey of expert opinion has shown that the proposed improved ROI will 
produce qualitative performance improvements for the EDGs. In order to assess the 
quantitative benefits of the proposed ROI alterations, it is necessary to calculate the risk 
implications of the suggested changes. In the case of the ROI alteration, the plant realizes 
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PRACTICES AFFECTING 
EDG RELIABILITY 

WHAT IS DONE 

HOW PRACTICE AFFECTS 
RELIABILITY OF EDG 

MONITORING 

The diesel and its support systems 
are continuously or periodically 
monitored and tracked with sensing 
equipment especially during tests. 

The information provided by this 
equipment keeps the operators of 
the diesel apprised of the status of 
the EDG and related systems. 

Monitoring can aid EDG operators 
in identifying internal failures or 
harmful performance trends without 
the intrusiveness of some inspection 
practices. Utilization of monitoring 
equipment, however, may introduce 
new failures modes. 

TESTING 

The diesel is periodically operated 
for a specific duration of time 
according to applicable regulations. 
The tests provide information on the 
performance of the diesel and its 
ability to fulfill its safety function. 

Testing ensures that the diesel is 
able at the time of the test to 
perform its vital role of supplying 
backup power and can aid in the 
identification of failures. Over¬ 
testing, however, can unnecessarily 
stress the diesel. Use of improper 
testing intervals and run times, as 
well as the limitations of some tests, 
can prevent identification of 
iihpbrtant failure modes. 

INSPECTION 

The diesel and related systems are 
periodically inspected in order to 
identify excessive wear and latent 
failures. Inspection also ensures 
that preventive maintenance is being 
performed correctly. 

Inspecting the EDG can aid in the 
prevention of failures due to wear or 
poor manufacture. Improper or 
over-inspecting, however, can 
introduce failure through part 
warping, improper disassembly or 
reassembly and numerous other 
possible human errors. 


Table 6.1 Practices Affecting EDG Reliability 


a net benefit as a result of changes in the various risk factors affected by the proposed 
changes. 

In order to estimate these risk changes we first perform a time savings calculation 
in order to assess the risk benefits realized within the refueling outage. The significant¬ 
time savings realized by an improved ROI positively impact the fuel melt frequency 
(FMF) of MP-3, as well as the qualitative level of defense in depth (DID) in the plant. 
Although a shortened ROI does not affect the critical scheduling path of MP-3, 
calculations show that this is a possible future benefit realized by the plant. It also affects 
EDG availability, which has an effect upon other allowed activities and their risk. 
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A sensitivity analysis of the reliability improvements associated with the 
Improved Refueling Outage Inspection (IROI) reveals significant potential reduction of 
the EDG system failure probability. In addition to this, we present the results of a similar 
analysis of the effects of increased EDG monitoring and its use as justification for an 
increase in EDG surveillance interval and a change of test duration. 

6.2 Time Savings Calculation 

Here we calculate the time savings associated with the IROI. This calculation is 
an essential part of our analysis as the resulting time savings impact both the fuel melt 
frequency of the plant and the defense in depth in the plant. 

A team of workers that includes mechanics, laborers, a Colt-Pielstick service 
representative, and the diesel engineer perform the ROI and associated maintenance at 
MP-3. At any given time, there are three to four workers executing the planned ROI 
items. With these workers laboring around the clock in staggered ten hour shifts, the ROI 
for each EDG is completed by the laborers in about seven days. 

In order to calculate the man-hour savings realized by the IROI, we asked the 
MP-3 diesel engineer to give his best estimate of the number of workers and time 
currently required to perform the individual items that he recommended for alteration 
[21]. We calculated the total time saved for each item altered according to Equation 6.1. 


''Laborers^ 

^Required; 




Time 


VSaved, 




('Periodicity^ 
Factor j 


Total Time'^ 
Saved ; 


( 6 . 1 ) 


The Periodicity Factor (PF) contained in Equation 6.1 is a positive multiplicative factor, 
less than or equal to unity, which indicates the frequency at which inspection items are 
currently performed. The PF is equal to unity for items the ROI requires every refueling 
outage. Items recommended for periodicity extension to once every other refuel have a 
PF equal to one half. 

Table 6.1 contains the MP-3 diesel engineer’s estimates of the time savings 
associated with individual inspection item alteration. Additionally, Table 6.1 contains the 
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diesel engineer’s estimate of the number of workers involved with the individual 
inspection items. Utilizing Equation 6.1, this information is then used to find the total 
time saved for each altered inspection item. The results of the calculation can also be 
found in Table 6.2. 


Item# 

From 

Current 

ROI 

Checklist 

CURRENT 

REQUIREMENT 

LABORERS 

REQUIRED 

TIME 

REQUIRED 

TOTAL TIME 
SAVED BY 
ALTERATION OF 
THIS ACTIVITY 

2 

Remove and check injection 
nozzles for operation and 
opening pressure. 

2 workers 

30 hours 
(3 shifts) 

60 hours 

3* 

Remove, disassemble, clean 
and repair all air start valves 
and air start distributors. 

2 workers 

15 hours 
(1.5 shifts) 

*15 hours 


Drain and refill governor 
and turbochargers with 
approved oil. 

1 worker 

1 hour 

*0.5 hours 

9 

Check for tightness of 
exhaust manifold flange 
bolts to cylinder head (165- 
195 ft.lbs). 

2 workers 

10 hours 
(1 shift) 

20 hours 

11 

Borescope all cylinder liners. 

1 worker 

8 hours 

8 hours 

14* 

Perform camshaft bearing 
analysis. 

1 worker 

6 hours 

*3 hours 

15 

Check crankshaft alignment 
and bearing clearances. 

2 workers 

20 hours 
(2 shifts) 

40 hours 

19 

Check alternator coils and 
poles for indication of 
movement (visual). 

3 workers 

20 hours 
(2 shifts) 

60 hours 


TOTAL 

206.5 hours 


Table 6.2 Factors of Estimated IROI Labor Time Savings 

Based upon the MP-3 diesel engineer’s estimates of individual item time savings, 
the total person-hour savings associated with the IROI is 206.5 man-hours. This valuers 
the total of the estimated labor hours located in column 5 of Table 6.2. We note starred 
items with a Periodicity Factor not equal to unity in order to highlight their uniqueness. 
For example, Item 3, disassembly and cleaning of the air start valves, usually requires 
approximately 30 person-hours to perform. The IROI involves only inspecting half of the 
valves during each inspection, which requires only 15 man-hours to perform. Thus we 
entered the 15 hour estimate in Table 6.2. 
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In order to arrive at a time estimate that is useful for risk analysis calculations, we 
must translate the total man-hour savings into saved inspection hours. This is done by 
dividing the total man-hour savings by the number of workers performing the inspection 
at any one time as indicated in Equation 6.2. 

Total Time'l ^ Number of Workers ^ 

Saved J vPerforming Inspection^ 

The MP-3 diesel engineer indicated that three to four workers are performing the 
inspection at any given time. For this evaluation, we used the average number of 
workers, or 3.5 workers, as the number of workers performing the inspection. Using this 
average number of workers results in 59 inspection hours saved or approximately 2.46 
inspection days saved. 

The MP-3 diesel engineer indicated that the inspection team usually completes the 
current ROI, which is typically scheduled for a seven day period, within five days. He 
estimated that an improved ROI that adopts the proposed alterations could be scheduled 
for five days and would actually take about three days to complete [21]. The above 
calculations indicate that the improved ROI will take about 2.54 days to complete 
(estimated five days less 2.46 inspection days saved) indicating that the MP-3 diesel 
engineer’s estimate is slightly conservative. 

We use a time savings of 59 hours throughout this work to estimate the IROI’s 
impact on risk. 

6.3 Defense in Depth 

Concern within the nuclear power industry regarding the adequacy of Technical 
Specification (TS) requirements during plant outages prompted our review of the 
development and bases for these regulations. This review, along with a survey of 
industry experience, found that the NRC did not base TS for shutdown conditions upon 
exhaustive safety analyses like those required for operations at power. This discovery 
prompted the formulation of additional system requirements designed effectively to 




f Inspection Hours' 
Saved > 


( 6 . 2 ) 
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manage outage risk [40,41]. Defense in depth (DID), a strategy commonly used by the 
military to protect vital assets, is one concept adopted by the nuclear power industry in 
order to compensate for uncertainty in the TS. Today the NRC endorses and encourages 
the use of this refueling outage planning strategy. 

The DID concept as utilized at MP-3 aids in the planning and scheduling of 
outage activities in a manner that improves safety system availability. At MP-3, out£^e 
planners use DID as a risk management criterion in order to ensure that redundant, 
alternate or diverse methods are used to ensure that the Key Safety Functions (KSF) of 
the plant are protected [42]. 

The KSF concept is an additional risk management approach that requires MP-3 
to identify the safety systems that are essential for safe operation during an outage. The 
KSF at MP-3 are the Decay Heat Removal, Inventory, Containment, Electrical Power, 
and Reactivity control systems. For each of these functions, MP-3 established a set of 
color-coded DID criteria that defines a level of protection as follows; 

Green — Signifies a condition in which equipment or system redundancy is 
greater than the minimum DID standard. 

Yellow — Signifies a condition in which equipment or system redundancy is 
is equal to the minimum DID standard. 

Orange — Signifies a condition in which equipment or system redundancy is 
is one requirement less than the minimum DID standard. 

Red — Signifies a condition in which equipment or system redundancy is 
is two or more requirements less than the minimum DID standard. 


Guidance for the establishment of actual DID levels for the KSF is provided by 
the NUMARC 91-06 document. Guidelines for Industry Actions to Assess Shutdown 
Management [43]. The minimum DID power availability condition (yellow status) 
requires the maintenance of one available EDG and one offsite power source as well as 
one backup power source. At MP-3, the offsite power sources include the normal station 
transformer (NSST) and the ‘A’ reserve station transformer (RSST). Backup power 
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sources at MP-3 include the unused EDG, the redundant offsite power source and the 
station blackout diesel (SBOD). The SBOD is a non-safety grade diesel capable of 
carrying a limited number of critical safety loads that can be started should both the A 
and B EDG fail under Loss of Offsite Power (LOOP) conditions, thereby leading to a 
station blackout condition. Figure 6.1 is the Shutdown Safety Assessment Checklist used 
by MP-3 to determine its DID level for power supply redundancy. 


Date:_ Time:_ 

17. Power Availability 

Need at least one offsite source, one EDG, and one other. 

□ AEDG(l) _ 

□ BEDG(l) _ 

□ RSST(l) _ 2 ■ 

□ NSSTMAIN(l) _ 3 

Q Station Blackout EDG (1) _ 


Power Total 


CONDITION 

Red 

Orange 

Yellow 

Green 


Figure 6.1 MP-3 Shutdown Safety Assessment Checklist for 
Emergency Power Redundancy [42] 

MP-3 outage planners never deliberately plan to exceed the minimum DID level 
when determining the outage schedule. In other words, the plant will only enter orange 
and red DID levels inadvertantly, as when equipment is unexpectedly removed from 
service or when scheduled maintenance is not completed in the allotted time. At MP-3, 
the goal of outage planners is to remain in the green DID space as much as possible [41]. 

During the April 1995 refueling outage, the maintenance and inspection of the 
electrical power supply system was scheduled for 611 hours. Of this 611 hours, 230 
hours were scheduled for DID level yellow while the remaining 381 hours were 
scheduled for DID level green. These hours correspond to 62.4% at DID level green and 
37.6% at DID level yellow during the electrical power supply system maintenance period. 
Figure 6.2 details the DID levels scheduled during MP-3’s 1995 outage. This figure 
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provides a compacted view of the refueling outage schedule found in Figure 3.2 with 
overlapping scheduled maintenance superimposed onto a single time bar. The resulting 
figure indicates the periods of time in which equipment outages result in different DID 
levels. Additionally, this figure indicates the equipment outages that result in a yellow 
DID level [20]. 


HSST&’B'EDGOOS 





•B' EDG&RSST OOS 


NSST&'A‘EDGOOS 


Giiaen= llkours 
YeIlofw= 14 Iioui5 




Green = SShouis - 


-Yellow = 81 hours 


Yellow = 1351iours 





Green = 208l!iours 


Green = 127houis 
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Figure 6.2 DID Levels for MP-3 1995 Refueling Outage 


6.3.1 Defense in Depth Improvements 

Significant defense in depth improvements are realized when we apply the IROI 
time savings to the out^e schedule. 

In 1995, the outage times for the A and B EDGs were 170 hours and 172 hours, 
respectively. Application of the IROI time savings shortens these outages to 111 hours 
for the A EDG and 113 hours for the B EDG. Figure 6.2 indicates three periods when the 
plant was in DID level yellow. The first and third yellow DID levels are directly affected 
by the shortened EDG inspections. The second DID level is not affected by the shortened 
EDG inspection because the B EDG is out of service as a consequence of the outage of 
bus 34D, not because the B EDG is non-operable due to maintenance. Figure 6.3 shows 
the 1995 Refueling Outage, modified due to application of the IROI. It indicates a 
reduction of the yellow DID level due to the time saving associated with the changed 
EDG inspection. 

Figure 6.3 shows that the first yellow DID level found in Figure 6.2 is entirely 
eliminated as a consequence of the shortened EDG inspection of the B EDG. The second 
yellow DID level of Figure 6.2 is left unchanged because of the “out of service” status of 
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Figure 6.3 IROI-Modified 1995 Refueling Outage DID Levels 

bus 34D. The shortened A EDG inspection reduces the final yellow DID level from 135 
hours to 82 hours. 

Further reduction of the last yellow DID level is limited by the outage of bus 34C. 
Bus 34C has the same effect upon the A EDG that bus 34D has upon the B EDG in that 
its outage renders its associated EDG essentially non-operational. Buses 34D and 34C 
both transmit power generated by the EDGs to the vital safety loads. If they are 
incapable of transmitting this power, the status of the EDG is irrelevant to whether the 
system can provide electric power. The limitations placed upon further DID level 
improvement as a result of the bus outages indicate that further time savings associated 
with the EDG inspections would produce no fiirther DID level improvement. In other 
words, the currently proposed IROI results in the maximum DID improvement possible 
due to alteration of the EDG inspections. 

The DID levels shown in Figure 6.3 result in an overall green DID level increase 
to 73.3% of the total outage reflecting an improvement of 17.5%. This large increase.. 
indicates a significant DID capability improvement. Essentially, MP-3 would remain at 
the highest level of DID for almost three quarters of the electrical system outage. Table 
6.3 further summarizes the DID level improvements associated with the IROI. 
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Outage 

Inspection 

Requirements 

DID Level Green 

(hours/%) 

DID Level Yellow 

(hours/%) 

ROI 

381 hours / 62.4% 

230 hours / 37.6% 

IROI 

448 hours / 73.3% 

163 hours / 26.7% 


Table 6.3 DID Level Comparisons for the 1995 Refueling Outage Subject to ROI and 

IROI Requirements, Respectively 

6.4 Refueling Outage Risk Improvement 

Risk reductions during the refueling outage of a plant are two-fold when MP-3 
utilizes a shortened EDO inspection. Initially, the IROI will alter the risk profile of a 
plant’s scheduled outage resulting in a lower probability of fuel damage. A shortened 
inspection can also conceivably shorten the critical path of the refueling outage yielding 
significant economic benefits for the plant. 

The primary measure of risk during a plant refueling outage is the risk of fuel 
damage. While the plant is in a shutdown status, the spent fuel must be continuously 
cooled until it is removed from the core. This cooling process is accomplished through 
the constant circulation of a coolant through the reactor vessel. A loss of cooling will 
result in eventual boiling and evaporation of the coolant. If cooling is not restored (an 
action highly dependent upon human intervention), the coolant will continue to evaporate 
until the fuel is exposed at which point the fuel is damaged. The three primary modes of 
failure that can cause eventual damage of the fuel during a refueling outage can be seen in 
Figure 6.4. The loss of cooling fault tree displayed here shows that the three modes of 
failure are loss of coolant flow, loss of heat sink, £ind loss of coolant. Both the loss of 
coolant and loss of coolant flow modes depend heavily upon the proper function of 
pumps. In the case of a loss of offsite power, these pumps depend upon the proper 
function of the EDGs. When the EDGs are unavailable due to maintenance or testing, the 
risk of fuel damage increases significantly [40]. This aspect of diesel unavailability can 
be clearly seen in the risk profiles in the following section. 
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Figure 6.4 Fuel Loss of Cooling Fault Tree 


6.4.1 MP-1 Risk Profile 

Although MP-3 produced a risk profile for its 1995 refueling outage, the risk 
profile generated is a relative representation of risk, with no calculated base-line risk 
being estimated [41]. In addition to this qualitative risk profile, a computer program is 
utilized at MP-3 that quantifies the core damage frequency. This program, however, was 
found not to be useful by Millstone PRA experts because of its extreme conservatism 
[40]. Consequently, no reliable risk quantification tools are available for MP-3’s 1995 
refueling outage. 

Despite this lack of analytical capability, MP-3 will still gain risk reducations 
with utilization of a shortened inspection. The EDGs are one of the largest contributors 
to risk when the plant is operating at power and during the refueling outage. Any 
reduction in the un-availability of the EDG will decrease the overall probability of core 
damage. This is typical of all plants in the US. 

In order to demonstrate the potential improvements of a shortened EDG 
inspection, we use the risk profile of MP-l’s refueling outage [40,44], as seen in Figure 
6.5, as a substitute for the MP-3 risk profile. Utilization of the MP-1 risk profile allows 
us to quantify the potential risk reductions associated with the IROI, a capability that is 
unavailable with the qualitative MP-3 risk profile. The MP-1 emergency power system is 
similar to the MP-3 plant in that it has two EDGs with an additional station blackout 
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generator (gas turbine driven). The risk profile shown was planned for November and 
December of 1995. 

MP-1 Risk Profile 



Figure 6.5 MP-1 1995 Fuel Damage Risk Profile 


Figure 6.5 illustrates the many risk highs and lows experienced by the plant 
during a typical refueling outage. The time bar located in the middle of the chart 
represents the time that the MP-1 EDGs are out of service for maintenance, a period of 
approximately 17 days or 8.5 days per EDG. MP-3 removes the EDGs from service 
sequentially so that only one diesel is out of service at one time. The variations in the . 
risk over the EDG outage period are due to various non-EDG equipment being taken in 
and out of service simultaneously with the EDGs. The baseline risk for MP-1, viewed at 
the end of the plot in Figure 6.5, is 2.3e-07/day (8.65e-05/year). The baseline risk is the 
lowest value of risk experienced by MP-3 during the refueling outage. It occurs when 
there is low decay heat and all safety systems and associated equipment are available to 
the plant. 
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The outage of each EDG contributes a multiple of 4.43 over the baseline fuel 
damage frequency which means that risk of fuel damage is roughly four times more likely 
when MP-3 removes a single EDG from service. The overall probability of fuel damage 
during the 49 day refueling outage for MP-1 is 7.993e-5. This value is equal to the area 
under the risk profile curve. Equation 6.3 aids in the determination of the EDG outage 


Baseline 


^EDG Days'' 

X ((Relative Risk) - 1) X Out Of = 

V Service / 


Contribution to 
Total Risk 


contribution to the overall probability of fuel damage. Utilization of this formula yields a 
contribution value of 1.335e-5 or 16.7% of the total probability of fuel damage. A 
reduction in the out of service time for the EDGs results in a overall fuel damage 
probability reduction and a corresponding decrease of the EDG contribution to the overall 
fuel damage probability. 


6.4.2 MP-1 Risk Profile Improvement 

We can credit the 118 hour EDG inspection time reduction at any point in the 
scheduled outage. Outage planning experts would most likely take several factors into 
account, DID for example, when scheduling the shorter inspections. Regardless of the 
scheduling strategy selected, the overall probability of fuel damage reduces by the same 
amovmt (assuming that the equipment outages are independent). The improved risk 
profile displayed in Figure 6.6 applies the 118 hour time credit to the end of the originally 
scheduled diesel outage. 

The new probability of fuel damage, utilizing the reduced inspection 
requirements, integrated over the 49 day refueling outage is 7.492e-5 which reflects a risk 
improvement of 6.27%. The EDG outage contribution to the probability of fuel damage 
is 9.497e-6 or 12.7%. This reflects a reduction of five percentage points. These 
probability improvements indicate that the shortened EDG inspection not only decreases 
the overall probability of fuel damage but also decreases the importance of the EDG 
outage as a contributor to the overall plant risk. 
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Improved MP-1 Risk Profile 



DATE 


Figure 6.6 MP-1 Risk Profile Showing the Effects of Reduced Inspection Requirements 


These same types of improvements would be experienced by MP-3 if it were to 
adopt the IROI. Although the exact values of probability reductions would differ, it is 
apparent from the risk profile demonstration that any decrease in EDG outage time will 
result in risk reductions. In the case of MP-3, it is likely they will experience larger 
probability reductions as the proposed 118 hour time savings represent a larger portion of 
the total EDG outage time at MP-3. 


6.4.3 A Shortened Refueling Outage 

Both the DID and fuel damage probability analyses do not address the risk effects 
of shortening the overall length of the refueling outage. In actuality, a shortened 
refueling outage is a natural consequence of a shortened EDG inspection. In this section, 
we calculate the potential risk reductions associated with the shortened refueling outage. 

The IROI of the EDG can be used by the refueling outage schedulers to shorten 
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the electrical power supply system maintenance and testing period. If the electrical 
power supply system outage is part of the plant critical path, this time savings can 
translate into an overall shorter refueling outage. In the past, MP-3’s electrical power 
supply system has not been part of the critical path because of problems with the plant’s 
service water system. MP-3 is currently taking steps to repair the service water system, at 
which time the electrical power system will become part of the critical path [21,41]. 

Figure 6.7 shows a revised electrical power supply system schedule that maintains 
the current DID levels utilized by MP-3 while simultaneously reducing the scheduled 
outage time. This analysis allowed us to trim the original schedule of 611 hours by 82 
hours to a total outage time of 529 hours. This type of schedule could potentially save 
MP-3 more than three days of its current refueling outage. These time savings are 
significant and can translate into large monetary savings for MP-3. 

A shortened refueling outage can also translate into benefits for the MP-1 
refueling outage probability of fuel damage. The shorter outage time period would 
reduce the number of days needed by MP-1 to complete the outage therefore reducing the 
total fuel damage risk (the area underneath the risk profile curve). Again, similar 
conclusions can be drawn for expected changes in the refueling outage probability of fuel 
damage at MP-3. 

6.4.4 Refueling Outage Risk Improvement Summary 

In practice, a group of refueling outage planning experts would attempt to 
maximize the benefits of all three types of refueling outage risk improvements eissociated 
with the IROI. DID, safety, and plant economics would all influence the final form of the 
new refueling outage schedule. Regardless of the final form of this schedule, the IROI 
allows MP-3 to improve its overall refueling outage risk measurably. 
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Figure 6.7 Revised Electrical Power Supply Refueling Outage Schedule, Based Upon a 

Shortened EDG Inspection 

6,5 Effects of IROI on EDG Failure Probability 

In order to estimate the effects of the IROI upon the EDG failure rate, we must 
translate the alteration of the required inspections into a change in the failure rates of the 
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basic events associated with the EDG system. Basic events refer to individual failures 
that could lead to the failure of the entire system (The entire list of MP-3 basic events that 
contribute to the EDG system failure probability as well as the associated system fault 
tree can be found in Appendix C [45,46]). Once we identify the basic events, we can 
perform a sensitivity analysis in order to evaluate the effect of the basic event changes on 
the EDG failure rate. 

The proposed IROI reduces the probability of failure for four types of basic events 
at MP-3. Table 6.3 lists the four basic events affected by the proposed IROI for the A 
EDG as well as their associated respective probability values. In order to calculate the 
reduction of the EDG system failure probability value, we recalculate the fault tree top 
event probability value using new values for the four basic events listed in Table 6.4. The 
new values for the four basic events reflect probability reductions of 25%, 50%, 75% and 
100%, respectively. 


Basic 

Event 

Number 

Description 

Event 

Probability 

38 

EDG A unavailable due to test or 
maintenance. 

l.le-2 

39 

EDG A fails to start on demand (includes 
failure to run). 

1.64e-2 

68 

Common cause failure of air operated start 
valves. 

1.36e-4 

69 

Common cause failure of EDGs to start on 
demand (includes failure to run). 

1.12e-3 


Table 6.4 Basic Events Affected by Proposed IROI and 
Their Respective Probability Values 

Figure 6.8 displays the results of the sensitivity analysis plotting the value of the 
probability of the top event, failure of the EDG system. The five calculated values of the 
top event appear as points on the plot with a least-squares best fit line revealing a linear 
relationship. For example, an anticipated basic event reduction of 50% would decrease 
the EDG system failure probability 13.9%, from 0.0952 to 0.082. 
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Figure 6.8 Effect of Basic Event Reduction on Diesel Failure Probability 

A similar analysis of the introduction of a comprehensive diesel monitoring 
system at MP-3 revealed that the EDG system failure probability can be driven lower 
than the values shown for the IROI calculation. The proposed monitoring program 
included reduction of the probabilities of 21 basic events including three of the foxir 
events listed in Table 6.3. In addition to the EDG fault tree basic events, the proposed 
monitoring system reduced the probabilities of basic events associated with the plant 
service water pumps and the EDG building ventilation dampers. The risk sensitivity 
analysis of this system revealed that a 50% reduction in basic event probabilities reduced 
the EDG system failure probability by 38.6%. Using this new failure rate information, a 
completely new testing regiment was proposed by Dulik. An hour long monthly run of 
the diesels was modified to a yearly 24 hour run of the diesel. The increased duration of 
the test was justified because of its success in identifying nearly 100% of all of the EDG 
failure modes (in contrast to the 34.5% of modes identified in an hourly run). The 
decreased frequency of the testing to once per year was established through optimization 
of the new failure rate and EDG vmavailability due to testing. A complete analysis of the 
proposed monitoring system and its associated reliability improvements and modified 
testing regiment can be located in Dulik’s report [3]. 
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6.5.1 Failure Rate Summary 

The reduction in the probabilities of the basic events associated with the improved 
ROI are unknown quantities. However, the reduction of the failure probability is highly 
likely as the proposed inspection alterations are based upon sound engineering practices 
and the extensive historical performance of the MP-3 diesels. The sensitivity analysis 
presented here quantifies the possible reliability improvements that the MP-3 EDGs may 
realize with the implementation of the IROI. It is important to note that any reliability 
improvement experienced by the EDG system will also reduce the core damage 
frequency (CDF) of the plant. 

6.6 Risk Improvement Summary 

In order to fully appreciate the benefits of the EDG IROI, analysis must go 
beyond the qualitative. Risk analysis provides a method for quantitative assessment of 
the proposed changes. The time savings of the IROI result in improved DID at MP-3 as 
well as the potential for a shortened critical path. The refueling outage risk profile of 
MP-3 would also likely benefit from the IROI as reflected in a reduced fuel damage 
probability. Expert analysis would integrate all three of these refueling outage 
improvements into a schedule that maximizes the benefits of the IROI. 

Although we cannot accurately calculate the reliability effects of the IROI without 
the actual implementation of the shortened inspection, a sensitivity analysis of the 
potential improvements provides a clear picture of the possible reliability improvements. 
Increased monitoring also contributes positively to the risk outlook of the MP-3 EDG 
system reliability. 
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Chapter 7 -- On-Line EDG Inspection Benefits 


7.1 Introduction 

Recent investigation of refueling outages by industry experts has revealed that the 
probability of a loss of offsite power and therefore the demand for backup power 
provided by the EDGs may actually be higher, during the refueling outage than when the 
plant is at power [15]. This development is likely due to an increase in the probabilities 
of human errors associated with odd and infrequently used plant configurations and the 
associated un-familiarity of workers with them. This situation supports the possible 
transfer of all EDG inspections, surveillances, and maintenance items that currently 
remove the diesels from service during the refueling outage to a new practice of 
execution when the plant is operating at power. Maintenance and testing items performed 
while the plant is operating at power are known as on-line surveillances. 

Several plants in the US have applied to the NRC to alter their respective TS in 
order to accommodate the 18 month EDG inspection while operating at power. In most 
cases, this requires an extension of the individual plant’s allowed outage time (AOT). 

We found that for the EDG inspection transfer, the increase in risk associated with a 
larger AOT is considered non-significant according to NRC criterion established for TS 
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alteration [47]. We also found that the elimination of the EDG ROI significantly reduces 
the fuel damage probability for the duration of the refueling outage. 

7.2 Pilgrim Nuclear Power Station Proposed TS Changes 

The Pilgrim Nuclear Power Station (PNPS) is currently applying to the NRC for 
extension of their EDG AOT from three to 14 days. This extension is intended to 
increase the repair and preventive maintenance time and to reduce potential for plant 
shutdown transients during EDG repair and maintenance. Additionally, the 14 day AOT 
will allow for the performance of on-line EDG maintenance. In order to balance the 
availability of plant systems associated with electric power activities, PNPS is 
simultaneously applying for an AOT reduction for the start-up transformer. In other 
words, PNPS is requiring that their own start-up transformer be more available in order to 
compensate for the increased unavailability of the EDG [4,47] . • 

The baseline CDF value at PNPS is 2.84e-5/year, resulting in a core damage 
probability (CDP) of 1.09e-6 over a 14 day period. The CDF value with one EDG 
unavailable and one EDG subject to random failures increases by a factor of 1.79 to 
5.08e-5/year. The corresponding CDP over 14 days is 1.95e-6, representing a temporary 
increase of 8.6e-7 (or 78.9%) over the baseline CDP value. This increase is considered 
non-risk-significant in terms of the criteria of both EPRI and the NRC [4]. EPRI’s risk- 
significant standard is 1 .Oe-6 for CDP while the NRC standards requires a CDF increase 
less than l.Oe-5. The CDF increase anticipated by PNPS is 1.72e-6. At this time, the 
PNPS staff expresses confidence that their proposal will be approved by the NRC [47]. 

7.3 On-line Transfer of Surveillances at MP-3 

The transfer of all MP-3 refueling outage EDG surveillances on-line would first 
require a basic change in the TS of the plant. Currently, the 18 month inspection must be 
performed during the refueling outage per the wording of TS 4.8.1.1.2.g.l [17]. If the TS 
were changed, however, the MP-3 diesel engineer has expressed confidence that all 
inspection and maintenance items currently performed during the ROI could be 
performed on-line with little or no difficulty. The MP-2 diesel engineer supported this 
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opinion, but with the caution that an associated increase in MP-3’s three day AOT must 
occur in order to compensate for the additional surveillances that would be performed on¬ 
line [21]. Additionally, he recommended that this increase in the AOT would be 
beneficial in the event that a major repair must take place [23]. 

Calculation of the associated risk implications for the transfer of the ROI items 
and associated EDG testing practices on-line for both the current ROI and the IROI is 
possible. We present risk calculations in this segment that only address the risk 
implications of transfer of the IROI. Transfer of the ROI would yield similar risk results 
but the diesel would not realize the reliability benefits of the altered inspection. 

7.3.1 Refueling Outage Risk Improvements 

The transfer of the IROI items and associated testing requirements will not affect 
the calculated IROI DID level improvements during the refueling outage. The current 
DID levels are constrained by the outage of key buses that will remain unaffected by the 
transfer of EDG surveillances on-line. This is also true for the critical path time 
improvements. The improvements computed in Section 6.4.3 represent the maximum 
refueling outage time savings available with the constraint of maintenance of current DID 
levels. 

The main refueling outage risk reduction of on-line surveillance transfer can be 
seen in the refueling outage risk profile and associated fuel damage probability. In order 
to demonstrate this benefit, we again utilize the MP-1 Risk Profile in the absence of a 
similar MP-3 document. Figure 7.1 details the risk profile alteration anticipated as a 
result of the transfer of EDG surveillances on-line. The total fuel damage probability 
over the 49 day outage is 6.27e-5 compared to the original fuel damage probability of. 
7.993e-5. This change reflects a 21.6% improvement over the base case. This risk 
profile analysis does not account for risk changes associated with a shortened refueling 
outage. However, a shortened refueling outage results in additional risk benefits. 
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MP-1 Risk Profile W/O EDG Surveillances 



Figure 7.1 MP-1 Refueling Outage Risk Profile in the Absence of EDG Surveillances 


7.3.2 Risk Implications of Performing Inspections While Operating At Power 
The outage of one EDG at MP-3 increases the CDF a factor of 1.47 over the 
baseline CDF value of 6e-5/yr [40]. This factor considers the case where one EDG is out 
of service while the remaining diesel is available but subject to random failures. In order 
to analyze the affects of transferring EDG surveillances on-line, we must choose a value 
of AOT increase to use in our analysis. Currently, the MP-3 AOT value is three days but 
the transfer of the IROI will require at least an extra three days of AOT. One extra day is 
also added for conservatism and to conform to the MP-2 diesel engineer’s suggestion- 
No attempt to compensate for power system availability is made here (as in the Pilgrim 
application). The corresponding risk sensitivities are summarized as follows: 


• Baseline CDF 

• Baseline CDP integrated over 7 days 

• CDF with one EDG unavailable 

• CDP with one EDG unavailable integrated 
over 7 days 


= 6e-5/yr 

= 6e-5*7/365 = 1.15e-6 
= 8.8e-5/yr 

= 8.8e-5*7/365 = 1.69e-6 
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Thus, having one EDG unavailable for 7 days causes a temporary increase of 
5.4e-7 over the baseline CDP value. We calculate the permanent change in the annual 
mean CDF as a result of the increased AOT as follows: 

CDP with one EDG unavailable 7 days = 1.69e-6 

New annual mean CDF = 2*1.69e-6+(6e-5*351/365) = 6.1 le-5/yr. 

(The 2* factor is due to the 7 day AOT for EACH diesel) 

The resulting increase in the CDF value is l.le-6/yr, a figure well below the NRC 
criterion of l.Oe-5/yr [2]. 

Table 7.1 contains the projected risk comparison of a 7 day AOT at MP-3 to that 
of a 14 day AOT. Although a 14 day AOT would meet the NRC criteria, it fails to meet 
the EPRI criteria of CDP increase less than l.Oe-6 [4]. This criteria failure, however, is 
quite small and would most likely be waived in practice on the basis that the error of the 
CDF estimate is less than the CDF difference observed here. 



7 Day AOT 

14 Day AOT 

Baseline CDP 

1.15e-6 

2.3e-6 

CDP w/One EDG bos 

1.69e-6 

3.38e-6 

CDP Increase 

5.4e-7 

1.08e-6 

New CDF 


6.22e-5/yr 

CDF Increase 

l.le-6/yr 

2.2e-6/yr 


Table 7.1 Comparison of the Risk Implications of 7 and 14 Day AOTs 


7.3.3 Additional Considerations 

Before accepting on-line EDG surveillance at MP-3, we must accoimt for 
additional considerations of risk. Initially, workers will be inexperienced with performing 
surveillances on-line. The power plant managers must anticipate and reduce human error 
wherever possible. Additionally, the performance of increased on-line testing may 
introduce transients that have never occurred before in the plant. The power plant 
managers must also anticipate and plan for these events. One final consideration is the 
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detailed planning that must take place in order to anticipate equipment outage 
combinations that would degrade safe operation of the plant. Increased EDG outages 
while operating at power will necessarily complicate the work of maintenance planners 
[15,21,23,40]. 

7.4 Summary 

Use of on-line testing and maintenance in nuclear power plants has increased 
greatly in recent years. Transfer of the IROI activities to on-line performance results in 
large risk reductions during the refueling outage and negligible risk increases while 
operating at power. However, human errors associated with the on-line transfer and other 
unknown risk factors must be studied further before this program is implemented fully at 
a power plant such as MP-3. 
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Chapter 8 — Economic and Safety Benefits of the IROI 


8.1 Introduction 

Significant potential economic and safety benefits result as a consequence of 
implementation of the IROI. The most fimdamental of these benefits will result from 
avoided repair and equipment replacement costs arising from the reduction of intrusive 
practices. The largest economic benefit, however, will arise as a result of redueing the 
critical path of the refueling outage. These substantial savings can in turn be a source of 
funding for an advanced monitoring program or enhanced safety training of personnel. 

8.2 Direct Economic and Safety Benefits 

The reduction of the number of inspection items associated with the ROI will 
provide MP-3 with immediate economic and safety benefits. Reduced maintenance, 
such as the increased periodicity of changing the turbocharger oil, will result in fewer 
basic parts being needed. The diesel operator will need items such as filters and fi'esh oil 
at a reduced frequency. Additionally, the diesel engineer can eliminate use of 
unnecessary test equipment, such as the fuel injector static test mechanism, firom the MP- 
3 engineering inventory [21]. 
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The more profound and important benefit realized directly by MP-3 will occur 
from the avoided safety risk associated with errors caused by humans. The less intrusive 
IROI will preserve the condition of the EDG eliminating unnecessary action by humans. 
Although failures of the EDG will still be possible, the firequency of human-induced 
failures is likely to decrease. These avoided failures will also likely reduce the amounts 
of money and time needed to repair the diesel following a such a failure [15,21]. 

A good example of such failures took place during MP-3’s last refueling outage. 
The TS require a disassembly inspection of two of the exhaust valve assemblies (one on 
each diesel) every 36 months. A worker damaged one of these exhaust valves so badly 
during disassembly that it had to be replaced by the inspection team. The other exhaust 
valve was also replaced by the inspection team because of pitting on the valve seating 
face. Although this particular valve failed its inspection due to the pitting, all of the 
personnel involved with the inspection stated that the valve was still fully operational 
(additionally, the engine analyzer had not indicated a problem with the valve) ~ MP-3 
replaced the equipment because of a technicality [21]. MP-3 replaced two functioning 
valves at a large economic and safety cost. Although this specific inspection is not 
included in the current ROI, it is an example of the type of inspections eliminated vmder 
the IROI. 

These types of direct benefits are difficult to quantify as they depend upon past 
documentation. Workers at MP-3 made no attempt to record the rationale for each 
specific equipment replacement at MP-3. Instead EDG workers related this information 
on an anecdotal basis, such as the example of the exhaust valve assemblies. The 
inspection participants, however, feel that the direct savings realized as a result of the 
IROI will be substantial. 

8.3 Shortened Refueling Outage Benefits 

Chapter 6 details the risk benefits of a shorter refueling outage revealing the 
benefits as being substantial. The economic benefits of a shortened refueling outage are 
fortunately just as substantial. While a plant is in a refueling outage they must buy power 
from other sources to provide to their customers. In May of 1995, the replacement cost 
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per day was anywhere from $215,000 to $344,000 (1995 dollars). This translates to a 
rnavirnnm approximates savings of $1.18 million ($344,000/day * 3.42 days) over the 
entire refueling outage if current DID levels are maintained by MP-3 [40]. 

Additionally, the shortened refueling outage will also reduce the labor costs 
associated with the current ROI. For the 1995 ROI, the total cost of internal and external 
labor was approximately $165,000 [48]. The vast majority of this was paid to Colt- 
Pielstick for vendor-related support. Assuming a level price per hour for all labor costs of 
$487 results in an additional $40,000 savings in avoided cost. 

8.4 Utilization of Economic Benefits 

Improved DID, decreased fuel melt probability and reduced EDG failure 
probability are all safety benefits of the IROI. In addition to these important safety 
benefits, MP-3 can use the economic benefits of the IROI to fund additional EDG 
monitoring equipment and training programs that benefit the safety of the plant. 

For example, one particular concern of the experts at INEEL is human errors 
introduced during the realignment of the EDG following the ROI [15]. In many plants, a 
single operator will use a checklist to ensure that the EDG is ready for operation and 
testing. The INEEL experts have stated that a system of double checks, in which two 
workers are responsible for performing identical checks, will remedy the realignment 
errors. Funding for this additional labor can come from the avoided labor costs 
associated with the IROI. The two inspectors can perform this initial check and 
subsequent double check almost simultaneously, therefore avoiding an extension of the 
refueling outage. 

The avoided costs of the IROI can also pay for additional sensing and monitoring 
of the EDG. Dulik’s work outlines the economics of such a plan in detail. The result of 
his analysis concludes that a plant can pay for such a device with the avoided cost of just 
one refueling outage [3]. 

The substantial savings can also fund improvements in the work place for the 
EDG workers. An improved work space and lounge can have positive effects on the 
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quality of work produced by laborers. The economic benefits of the IROI can also fund 
non-EDG related safety programs such as CPR or fire safety training. 

8.5 Conclusion 

The economic savings associated with the IROI are remarkable. The avoided 
costs of labor and equipment are substantial but are minute when compared to the 
millions saved through a shortened refueling outage. A plant realizes safety benefits 
through reduced risk at power and while the plant is refueling. A plant can experience 
additional safety benefits through the funding of various projects. 


85 




Chapter 9 — Conclusions and Recommendations 

The refueling outage inspection currently utilized at MP-3 has serious 
administrative and basic engineering shortcomings. Analysis of the ROI utilizing risk- 
informed performance-based methodology reveals that MP-3 can realize substantial 
benefits through implementation of an improved refueling outage inspection. 

Chapter 4 presents a plan for the IROI based upon the opinions of the MP-3 and 
MP-2 diesel engineers. Both of these men have extensive experience with EDGs and the 
MP-3 diesel engineer has worked with the MP-3 diesels since they were put into 
operation. Their recommendations are based upon their inspection experience and their 
detailed knowledge of the performance of their respective diesels. 

Chapter 5 assembles the experience of non-nuclear industry EDG applications. 
We compare and contrast inspections, operating experience, and expert opinion 
associated with EDGs in hospitals, the FAA and the US Navy. We use this comparison 
to further substantiate the recommendations made by the Millstone engineers. 

We present the numerous risk benefits associated with the IROI in Chapter 6. 
Analysis of defense in depth, refueling outage fuel melt probability, and EDG failure 
probability all show that implementation of the IROI will result in a net risk 
improvement. 
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Chapter 7 details the risk and time savings associated with the on-line transfer of 
the IROL This transfer requires an increase in the EDG allowed outage time from its 
current three day limit. An analysis of an AOT increase to 7 and 14 days reveals that the 
associated risk increase is insubstantial according to NRC and EPRI limits. MP-3 
implementation of such a plan, however, is limited by operational uncertainties. 

Finally, Chapter 8 presents the many economic and safety benefits associated with 
the IROL The substantial economic benefits realized by MP-3 can be used to implement 
further safety programs within the plant. 

We conclude that the refueling outage inspection of the diesel should be 
developed and implemented by persoimel familiar with the operating characteristics and 
history of the individual diesels. The vendor recommendations for EDG inspection and 
maintenance should be used solely as a recommendation, not as a rigid set of rules. We 
also judge that vendor representatives should be used as consultants, not inspectors, as 
their role of inspector is compromised by an obvious conflict of interest. 

The NRC will likely require implementation of the IROI on a trial basis if it is to 
proceed. MP-3 can accomplish this through application of the IROI on one EDG only. 
Transfer to on-line performance of the inspection would be the next proposed step taken 
by MP-3 following the proven success of the IROL 

We used methods and arguments in this work that demonstrate EDG regulation 
can be logically altered based on the performance history of the diesel and the associated 
risk consequences. These methods easily transfer to other questionable regulation within 
the nuclear industry structure. 
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Chapter 10 -- Future Work 


10.1 Introduction 

The project on Integrated Models, Data Bases and Practices Needed for 
Performance-Based Safety Regulation, of which this EDG ROI study is a part, concludes 
in January of 1998. Although the study provides a clear framework for the application of 
performance-based safety regulation, specific EDG ROI questions left unanswered in this 
work may also arise in future application of the methodology. 

10.2 Inspection Administration 

Although the current administration of the ROI is questionably set up by the TS, 
total elimination of inspection oversight may not be appropriate. Implementation of a.. 
diesel inspection program similar to that of the US Navy should be explored. Such a 
program would provide a much needed third pairty inspector whose primary goal would 
be diesel reliability and safety. 
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10.3 Balancing Risk Benefit 

The numerous risk benefits realized through implementation of the IROI should 
be integrated in such a way that they provide maximum safety and reliability 
im provement. A detailed Study of the integration of DID, fuel damage probability, and 
diesel reliability will provide a framework for future regulation alteration analysis. 

10.4 On-line Transfer of IROI 

The performance of the IROI while the plant is operating at full power promises 
substantial risk, economic, and safety benefits with a negligible increase in CDF. Further 
work must be performed, however, to determine the likelihood of increased human errors 
caused by the on-line transfer. Additionally, compensation within the power system 
should be explored to adjust for the anticipated increase in the AOT of the EDG. 


89 




References 


[1] Grant, G.M., et al., Emergency Diesel Generator Power System Reliability: 1987- 

1993. INEL-95/0035, February 1996. 

[2] USNRC. Risk Informed Decision Making: Technical Specifications. February, 1997 

[3] Dulik, Jeffrey. Use of Performance-Monitoring to Improve Reliability of Emergency 

Diesel Generators. February 1998. 

[4] Littleton, Clem. ApplicationforPNPS Alterations. 1997. 

[5] Reactor Safety Study: An Assessment of Accident Risks in US. Commercial Nuclear 

Power Plants. Wash-1400, NUREG-75/014, October 1975. 

[6] Kumamoto, H. and E.J. Henley. Probabilistic Risk Assessment and Management for 

Engineers and Scientists. IEEE Press, 1996. 

[7] USNRC. Use of Probabilistic Risk Assessment Methods in Nuclear Reglatory 

Activities. August, 1995. 

[8] USNRC. Reviewing PSA-Based Analyses to Modify Technical Specifications at 

Nuclear Power Plants. NUREG/CR-6172, December, 1995. 

[9] An Approach for Using Probabilistick Risk Assessment in Risk-Informed Decisions 

on Plant-Specific Changes to the Current Licensing Basis. NRC Draft Guide 
DG-1061. 1996. 

[10] AnApproachfor Plant-Specific, Risk-Informed Decision Making: Technical 

Specifications. NRC Draft Guide DG-1065, Rev. 5, February 1997. 

[11] USNRC. Use of Probabilistic Risk Assessment in Plant-Specific, Risk-Informed 

Decision-making: General Guidance. February, 1997 

[12] Battle, R.E. Emergency Diesel Generator Operating Experience, 1981-1983. 

NUREG/CR-4347, December 1985. 


90 


[13] Wyckoff, H. The Reliability of Emergency Diesel generators at U.S. Nuclear Power 

Plants, NS AC-108, September 1986. 

[14] Driscoll, G.D., et al.. Surveillance, Monitoring, and Diagnostic Techniques to 

Improve Diesel Generator Reliability. Southwest Research Institute, EPRI Report 
NP-5924, July 1988. 

[15] Personal Communication: Grant, G.L. Idaho National Engineering Laboratory, 

October 1996, February 1997. 

[16] Colt-Pielstick PC2V Engine Instructions. 1983. 

[17] MP-3. Technical Specifications: Millstone Unit 3. 1995. 

[18] MP-3. PM Diesel Generator Mechanical Maintenance. MP 3720CB. 1995. 

[19] MP-3. Emergency Diesel Generator Surveillance Inspection. SP 3712K. 1995. 

[20] 1995 MP-3 Refueling Outage Schedule. 

[21] Personal Communication: Shanahan, Brian E., Millstone-3 EDG Engineer, 

November 1996, June 1997. 

[22] Colt-Pielstick Service Information Letter, 1983-1996. 

[23] Personal Communciation: Stadnick, Steve. Millston-2 EDG Engineer, August 

1997. 

[24] Fairbanks Morse Owners’ Group.- Recommended Maintenance for Pielstick Diesel 

Engines in Nuclear Standby Service. 1996. 

[25] JCAHO: Plant, Technology and Safety Management Series: Emergency Power- 

Testing and Maintenance. 1994. 

[26] Personal Communication: Dorsey, Stephen, Cambridge Hopsital Engineer, 

September 1996. 

[27] Personal Communication: Sankas, Stephen, New England Medical Center, 

September 1996. 

[28] Personal Communication: Klein, Burton. National Fire Prevention Association. 

September 1997. 

[29] Joint Commission on Accreditation of Healthcare Organizations. 

http://www.jcaho.org. January 1998. 


91 




[30] FAA: Maintenance of Engine Generators: 6980.1 IB. 1980. 

[31] Wald, Matthew L. System Blackout Disrupts Flights Around Country. New York 

Times. December 19,1997. 

[32] Personal Communication; Balias, Tom. FAA Mechanical Engineer. March 1997. 

[33] Personal Communication: Ramone Ruiz. FAA Technical Evaluator. September 

1996. 

[34] Personal Communication: Grotsky, Peter. U.S. Navy, Naval Sea Systems 

Command, November 1996, January 1997. 

[35] US Navy: Age Reliability Analysis Prototype Study. 1993. 

[36] US Navy Diesel Engine Inspector Handbook Part 1 Inspection Procedures. 1988. 

[37] Personal Communication: Senior Chief Toal, United States Navy, Diesel Engine 

Inspector, June 1997. 

[38] US Navy: 9233.1 Diesel Engine Inspection Procedures. 

[39] US Navy: CINCLANTFLTINST 3540.9 Automated Diesel Engine Trend Analysis. 

1996. 

[40] Personal Communication: Labrecque, Richard C., Millstone-3 Probabilistic Risk 

Assessment, 1996, 1997. 

[41] Personal Communication: Cietek, Fred O., Millstone-3 Probabilistic Risk 

Assessment, May 1997. 

[42] Millstone Nuclear Power Station General Operating Procedure: Conduct of 

Outages, Millstone-3 OP3260A/Rev. 10,1997. 

[43] USNRC. NUMARC 91-06. 

[44] Labrecque, Richard C., MEMORANDUM: MPl RF15 Shutdown Risk Profile, 

October, 1995. 

[45] MP-3 Basic Events, 1997. 

[46] MP-3 EDG Fault Tree, 1997. 


92 


[47] Personal Communication; Littleton, Clem, Pilgrim Nuclear Power Station, October 

1997. 

[48] 1995 CCC 837 MP3 Maintenance Department Budget, Millstone-3,1995. 

[49] Millstone 3 Probabilistic Risk Assessment, Northeast Utilities Services Company. 


93 





Appendix A - Millstone Unit 3 Technical Specifications 


The following material is an excerpt from the NRC-approved Technical 
Specifications for Unit 3 of the Millstone Nuclear Power Station [18]. This specific 
selection outlines surveillance requirements for the electrical power systems utilized at 
MP-3. Technical Specification (TS) 4.8.1.1.2.g.l, located in this appendix, is repeatedly 
refered to throughout this work as it forms the basis for the Emergency Diesel Generator 
refueling outage inspection. 
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F.T ,F,r,TRTCAL POWER SYSTEMS 



4.8.1.1.1 Each of the above required independent circuits between the offsite 

tr ansmi ssion network and the Onsite Class IE Distribution System shall be: 


a. Determined OPERABLE at least once per 7 days by verifying correct 
breaker alignments, indicated power availability, and 


b. Demonstrated OPERABLE at least once per 18 months during shutdown 
by transferring (manually and automatically) unit power supply from the 
normal circuit to the alternate circuit. 


4.8.1.1.2 Each diesel generator shall be demonstrated OPERABLE: 

a. In accordance with the frequency specified in Table 4.8-1 on a 
STAGGERED TEST BASIS by: 

1) Verifying the fuel level in the day tank, 

2) Verifying the fuel level in the fuel storage tank, 

3) Verifying the fuel transfer pump starts and transfers fuel from the 
storage system to the day tank, 

4) Verifying the lubricating oil inventory in storage, 

5) Verifying the diesel starts from standby conditions and achieves 
generator voltage and frequency at 4160±420 volts and 60±0.8 Hz. 
The diesel generator shall be started for this test by using one of 
the following signals: 

a) Manual, or 

b) Simulated loss-of-offsite power by itself, or 

c) Simulated loss-of-offsite power in conjimction with an ESP 
Acutation test signal, or 

d) An ESF Actuation test signal by itself. 



6) Verifying the generator is synchronized and gradually loaded in 
accordance with the manufacturer’s recommendations to greater 
than or equal to 4986 kW and operates with a load greater than or 
equal to 4986 kW for at least 60 minutes, and 

7) Verifying the diesel generator is aligned to provide standby power 
to the associated emergency buses. 

b. At least once per 184 days, verify that the diesel generator starts and 
attains generator voltage and frequency of 4160 ±420 volts and 60 ±0.8 Hz 
within 11 seconds after the start signal. The generator shall be 
synchronized to the associated emergency bus, loaded to greater than or 
equal to 4986 kW in accordance with the manufacturer’s 
recommendations, and operate with a load greater than or equal to 

4986 kW for at least 60 minutes. The diesel generator shall be started for 
this test using one of the signals in Surveillance Requirement 4.8.1.1.2.a.5. 
This test, if it is performed so it coincides with the testing required by 
Surveillance Requirement 4.8.1.1.2.a.5, may also serve to concurrently 
meet those requirements as well. ' 

c. At least once per 31 days and after each operation of the diesel where the 
period of operation was greater than or equal to 1 hour by checking for and 
removing accumulated water from the day tank; 

d. At least once per 31 days by checking for and removing accumulated 
water from the fuel oil storage tanks; 

e. By sampling new fuel oil in accordance with ASTM-D4057 prior to 
addition to storage tanks and: 

1) ‘By verifying in accordance with the tests specified in ASTM- 

D975-81 prior to addition to the storage tanks that the sample has: 

a) An API Gravity of within 0.3 degrees at 60°F, or a specific 
gravity of within 0.0016 at 60/60°F, when compared to the 
supplier’s certificate, or an absolute specific gravity at 
60/60°F of greater than or equal to 0.83 but less than or 
equal to 0.89, or an API gravity of greater than or equal to 
27 degrees but less than or equal to 39 degrees; 

b) A kinematic viscostiy at 40°C of greater than or equal to 
1.9 centistokes, but less than or equal to 4.1 centistokes 
(alternatively, Saybolt viscosity, SUS at 100°F of greater 
than or equal to 32.6, but less than or equl to 40.1), if 


96 


gravity was not determined by comparison with the 
supplier’s certification; 

c) A flash point equal to or greater than 125°F; and 

d) Water and sediment less than 0.05 percent by volume when 
tested in accordance with ASTM-D1796-83. 

2) By verifying within 30 days of obtaining the sample that the other 
properties specified in Table 1 of ASTM-D975-81 except that: (1) 
the cetane index shall be determined in accordance with ASTM- 
D976 (this test is an appropriate approximation for cetane number 
as stated in ASTM-D975-81 [Note E]), and (2) the analysis for 
sulfur may be performed in accordance v^th ASTM-D1552-79, 
ASTM-D2622-82 or ASTM-D4294-83. 

f. At least once every 31 days by obtaining a sample of fuel oil in accordance 
with ASTM-D2276-78, and verifying that total particulate contamination 
is less than 10 mg/liter when checked in accordahce with ASTM-D2276- 
78, Method A; 

g. At least once per 18 months, during shutdown, by: 

1) Subjecting the diesel to an inspection in accordance with 
procedures prepared in conjunction with its manufacturer’s 
recommendations for this class of standby service; 

2) Verifying the generator capability to reject a load of greater than or 
equal to 595 kW while maintaining voltage at 4160 ± 420 volts and 
frequency at 60 ± 3 Hz; 

3) Verifying the generator capability to reject a load of 4986 kW 
without tripping. The generator voltage shall not exceed 5000 
volts during and 4784 volts following the load rejection; 

4) Simulating a loss-of-offsite power by itself, and: 

a) Verifying deenergization of the emergency buses and load 
shedding from the emergency buses, and 

b) Verifying the diesel starts from standby conditions on the 
auto-start signal, energizes the emergency buses with 
permanently connected loads within 11 seconds, energizes 
the auto-connected shutdown loads through the load 
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sequencer and operates for greater than or equal to 5 
minutes while its generator is loaded with the shutdown 
loads. After energization, the steady-state voltage and 
frequency of the emergency buses shall be maintained at 
4160 ± 420 volts and 60 ± 0.8 Hz during the test. 
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Appendix B -- Colt-Pielstick PC2V Engine Instructions 


The following material consists of an excerpt from the Colt-Pielstick Engine 
Instruction manual [17]. This manual contains information covering the description, 
operation and servicing of the Colt-Pielstick PC2V diesel engine, the type of engines 
utilized at Millstone 3. The specific information contained in this appendix consists of 
the supplemental maintenance instructions tailored for PC2V engines used for standby 
service. - 

The Aimual/Refuel instructions found in this excerpt make up the 18 month 
emergency diesel generator refueling outage inspection — the focus of the work in this 
report. 
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r.OTT-PTKLSTICK - PC2V ENGINE INSTRUCTIONS 


W. SUPPLEMENT MAINTENANCE INSTRUCTIONS 
For Model PC2V Standby Units 

The following inspection routine is supplemental to component part operation and 
service instructions in the instruction book and is recommended for engine and standby 
nuclear service. The unit may not accumulate significant operating hours between 
refueling and maintenance periods but the service and importance of availability justifies 
the frequency of inspection. 

It is of primary importance that every repair and malfunction is entered onto the 
engine operating log. Operating log data must be used to graph critical pressures and 
temperatures to determine trends in operating performance. It is of equal importance that 
this data be available in the Maintenance Department for ready reference and analysis by 
maintenance and visiting service personnel. 

Daily Inspection 

1. Lube oil level in turbochargers air side and exhaust side, oil sumps, outboard 
bearing, governor, air distributor and air compressor. Presence of water in the oil 
requires determination of cause and immediate correction. Note that unlike 
automotive engines, oil leveling and measuring procedures are performed with the 
engine operating at controlled temperatures. Cold oil will expand and raise oil 
levels. Do not overfill as bearing damage can occur. 

2. Standby heaters and pumps are operational; minimum lube oil temperature 120°F, 
water temperature 105°F. 

3. Jacket water surge tank level. Changes in the level of the surge tank or presence 
of oil must be investigated and the cause corrected. 

4. Control power is available, there are no flags on the switch gear controls and no 
annunciator alarms. The engine control should be set for operation. 

Weekly or Biweekly — Operation and Checks 

1. All preceding instructions plus drain air start tank condensate. 

2. Operate rocker prelube pump 5 minutes if engine is not operated every week. 

3. Check injection pump racks for free movement. Clean injection pump racks with 
fuel oil as required. 

4. Check the DC control supply and service batteries as required. 

5. Check day tank fuel level and inspect tank pit for fuel leakage. 

6. Unit operation 

a. During run-in of replacement parts and performance checks other than 
emergency starts, it is desirable to start the engine at idle speed, increase 
the speed over a 5 to 10 minute period to 514 rpm cind apply load over a 
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10 to 30 minute period. As with an automobile, moderate treatment 
improves longevity. Actual run-in procedures vary depending upon part 
replacement and will be provided by our service representative. 

b. Surveillance Test (Weekly or Biweekly) 

After confirmation that the unit is ready for start, proceed with test 
start in less than 10 seconds. 

-Rim the unit at no load for 3 to 5 minutes, until fluid pressures and 
temperatures are stabilized. 

-Apply 20 to 30 percent load and run the unit for 3 to 5 minutes, 
until pressures and temperatures are stabilized. 

-Apply additional load to bring the unit to 50 to 60 percent of 
continuous rating. Run the unit for 3 to 50 minutes, until pressures and 
temperatures are stabilized. 

-Apply additional load to bring the unit to 80 to 90 percent of 
continuous rating. 

c. Operate the unit 1 to 2 hours. Temperature and pressure data should be 
recorded after startup and after 1 hour operation. The second line of data 
will reflect stabilized temperatures and should be plotted to indicate 
possible changes in performance. If the unit is run for more than one hour, 
a line of data should be recorded every hour. 

d. Wipe down the unit and clean the area noting any oil, fuel or water minor 
leaks in need of repair. Unusual heat on bearing housings should be 
investigated. Site glasses for flow and levels should be rechecked. 

e. Check generator field slip ring brushes for arcing. 

f. Record lube oil usage. 

g. Reduce load gradually, at same rate as the loading reference described in 
paragraph b above. Operate unit 2 to 3 minutes at no load for cool down 
prior to engine shutdown. 

h. Analyze operating data to determine if maintenance is required or if 
temperature or pressure data requires further investigation. Jacket water, 
lube oil, air manifold, raw water, fuel oil and exhaust temperatures and 
pressures should remain relatively constant for any given load. Changes 
in temperatures or pressures or differentials in temperatures or pressures 
generally means a change in operating condition of the engine and the 
causes should be determined. 

i. Surveillance tests loading should always be the same to provide for 
comparison of engine operating data and determine if preventive 
maintenance is required. 

Quarterly 

1. All preceding instruction. 

2. Service all the auxiliaries, such as the starting air compressor, lube oil filter and 

strainer as required and check the condition of the air inlet filters. 

3. Sample the jacket water for the required level of treatment. 
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4. Sample the lube oil for condition and contaminates. Check and add approved oil 
as required to the alternator bearing, governor and turbochargers. 

5. Check all pump seals for excessive leakage. 

6. Check and observe engine during starting for air leakage in piping, servo and 
controls. 

7. Sample check rockers. Remove rocker box cover, check for proper lubrication, 
tappet clearance and confirm no water is leaking into the rocker arm compartment. 

8. Thoroughly clean engine room. 

Annual/Refuel: (1 year - 18 months) 

1. All preceding instructions. 

2. Remove and check injection nozzles for operation and opening pressure. 

3. Remove, disassemble, clean and repair all air start valves and air start distributors. 
Clean/replace air start distributor filter. 

4. Drain and refill governor and turbochargers with approved oil. 

5. Drain, flush and refill outboard bearing with approved oil. 

6. Check tightness on all foimdation block to base, oil and water line bolts. 

7. Check sample of rocker lube oil for condition and contaminants. 

8. Check turbocharger inlet casing and turbo casing water passages for scale. The 

inside surface of these casings is the best indication for adequacy of water 
treatment. 

9. Check for tightness of exhaust manifold flange bolts to cylinder head (165- 
196 fl.lbs.). 

10. Check all safety and shutdown controls for appropriate pressures and 
temperatures. 

11. Borescope all cylinder liners. 

12. Inspect the crankcase end of all cylinder liners. 

13. Check main bearing cap tightness (9950-1100 psi hydraulic) and side bolts 
(hammer tight). Alternately confirm cap tightness to frame and saddle to .0015 
feeler gauge. 

14. Visually examine gear train and drives, cam shafts and bearing, push rods and 
rocker arms. 

15. Check crankshaft alignment and bearing clearances. 

16. Check connecting rod bearing clearances with feeler gauge. 

17. Inspect all ledges and comers in crankcase for debris which could indicate other 
mechanical problems. Confirm all cotters, safety wire and lock tabs are in place 
and tight. 

18. Water test engine and inspect for internal and external leaks. Isolate J.W. surge 
tank and test entire system at 40 psi. After engine is returned to operation and has 
reached normal operating temperature, remove each rocker cover and inspect for 
water leaks at top area of cylinder head. 

19. Check alternator coils and poles for indication of movement (visual). 

20. Drain and refill alternator bearing lube sump. If oil has contaminants, pull 
bearing cap and inspect journal. 
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21. Inspect and clean (if required) overspeed trip mechanism. Check operation 

according to overspeed trip test instructions. 

Biannually (2-3 years) 

1. All preceding instructions. 

2. Gear Train 

a. Check backlash (.2 - .4 mm/ .008 - .016 inches). 

b. Check camshaft flexible drive locking plate capscrews for indication of 
loosening (sheared locks). Tighten and relock if required. 

3. Check fuel control linkage roll pins for tightness. Replace worn parts. 

4. Remove one pair of exhaust valve cage assembly, inspect and repair if required. 
It is recommended that the valve selection be made by the serviceman and based 
on engine operating data. 

The above recommendations are basic and may be altered dependent upon site 
experience. Deletions and/or additions may be made depending upon site operating 
history. The five year inspection should be reviewed with the factory. 
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Appendix C - Millstone Unit 3 EDG System Basic Events and 
Fault Tree 


The following material is a summary of the fault tree information used in the 
Probabilistic Risk Assessment of Millstone 3 [50]. 

Table C.l includes a listing of the basic events which are used in the MP-3 fault 
tree. Each basic event description is accompanied by its corresponding rate, exposure, 
and probability of occurance. 

Figure C.l includes those segments of the Millstone 3 EDG system fault tree that 
are affected by changes to the EDG refueling outage inspection. A complete fault tree 
can be located in Dulik’s report[3]. 


104 


Event 

U 


Description 


Rate 


Exposure 


Probability 


nHi 

BATTERY CHARGER 1 FAILS DURING OPERATION 

7.000e-06 

8760 

6.132e-02 

2 

DC PANEL 30IA-1 BUS FEED BREAKER FAILS TO REMAIN CLOSED 

L520e-06 

8760 

L332e-02 

3 

DC PANEL 301A-1 BUS FEED BREAKER FAILS TO REMAIN CLOSED 

L520e-06 

8760 

1.332e-02 

4 

METAL ENCLOSED DC BUS 301A1 BUS-TO-TO-GROUND SHORT 

2.000e-07 

8760 

L752e-03 

5 

LOSS OF OFFSITE POWER 

l.OOOe-i-OO 

0.041 

4.100e-02 

6 

(INIT) EXPANSION JOINT EXJl A RUPTURES 

8.480e-08 

8760 

7.428e-04 

7 

(INIT) EXPANSION JOINT EXJIC RUPTURES 

8.480e-08 

8760 

7,428e-0'4 

8 

(INIT) MOTOR OPERATED VALVE V102A FAILS TO REMAIN OPEN 

L400e-07 

8760 

1.226e-03 

9 

(INIT) MOTOR OPERATED VALVE V102C FAILS TO REMAIN OPEN 

L400e-07 

8760 

L226e-03 

10 

(INIT) CCF OF SERVICE WATER PUMPS ‘A’ AND ‘C’ FAILS TO RUN 

3.200e-05 

876 

2.803e-02 

11 

(INIT) SERVICE WATER PUMP SWPIA FAILS TO RUN 

3.200e-05 

8760 

2.803e-02 

12 

(INIT) SERVICE WATER PUMP SWPIC FAILS TO RUN 

3.200e-05 

8760 

2.803e-02 

13 

SERVICE WATER OUTLET VALVE AOV39A FAILS TO OPEN ON 

DEMAND 

2.000e-03 

1 

2.000e-03 

14 

BUS FEED BREAKER 32T1-2 FAILS TO REMAIN CLOSED 

L520e-06 

24 

3.648e-05 

15 

BUS FEED BREAKER 32T4-2 FAILS TO REMAIN CLOSED 

L520e-06 

24 

3.648e-05 

16 

BUS FEED BREAKER 32T6-2 FAILS TO REMAIN CLOSED 

L520e-06 

24 

3.648e-05 

17 

34A TO 34C BUS TIE BREAKER 34C-1T-2 FAILS TO OPEN ON DEMAND 

L580e-04 

6 

9.480e-04 

18 

BUS FEED BREAKER 34C3-2 FAILS TO REMAIN CLOSED 

L520e-06 

24 

3.648e-05 

19 

TRANSFER PUMP ‘PIA ‘42 BREAKER’ FAILS TO CLOSE 

3.380e-04 

1 

3.380e-04 

20 

TRANSFER PUMP *P1C ‘42 BREAKER’ FAILS TO CLOSE H 

3.380e-04 

1 

3.380e-04 

21 

BUS FEED BREAKER TO 34C AUX CIRCUIT FAILS TO REMAIN CLOSED 

L520e-06 

24 

3.640e-05 

22 

‘42 BREAKER’ FOR *FN1 A FAILS TO CLOSE ON DEMAND 

3.380e-04 

1 

3.380e-04 

23 

‘42 BREAKER’-FOR *FN1C FAILS TO CLOSE ON DEMAND 

3.380e-04 

1 

3.380e-04 

24 

DIESEL GENERATOR A OUTPUT BREAKER FAILS TO CLOSE ON 

DEMAND 

3.380e-04 

1 

3.380e-04 

25 

FAILURE TO SHED MAJOR EQUIP. LOADS (BREAKER FAILS TO OPEN) 

L580e-04 

30 

4.740e-03 

26 

METAL ENCLOSED AC BUS-TO-GROUND SHORT (BUS 32T) 

2.000e-07 

24 

4.800e-06 

27 

METAL ENCLOSED AC BUS-TO-GROUND SHORT (BUS 34C) 

2.000e-07 

24 

4.800e-06 

28 

METAL ENCLOSED AC BUS-TO-GROUND SHORT (MCC 32-lT) 

2.000e-07 

24 

4.800e-06 

29 

METAL ENCLOSED AC BUS-TO-OROUND SHORT (MCC 32-5T) 

2.000e-07 

24 

4.800e-06 

30 

METAL ENCLOSED BUS VIAC-1 BUS-TO-GROUND SHORT 

2.000e-07 

24 

4.800e-06 

31 

CONTACT PAIR 27R56 FAILS TO CLOSE 

L350e-04 

6 

8.100e-64 

32 

CONTACT PAIR 27Y12 FAILS TO CLOSE 

L350e-04 

6 

8.100e-04 

33 

CONTACT PAIR 62V13 FAILS TO CLOSE 

L350e-04 

6 

8.100e-04 

34 

CONTACT PAIR 62W15 FAILS TO CLOSE 

L350e-04 

6 

8.100e-04 

35 

CONTACT PAIR 62Y62FAILS TO CLOSE 

L350e-04 

6 

8.100e-04 

36 

CONTACT PAIR 3A-3EGS*EG-A CAl-CBl FAILS TO CLOSE 

L350e-04 

6 

8.100e-04 

37 

CONTACT PAIR 3A-3EGS*EG-ACCl-CDl FAILS TO CLOSE ! 

L350e-04 

6 

8.100e-04 

38 

DIESEL GENERATOR A UNAVAILABLE DUE TO TEST OR 

MAINTENANCE 

LlOOe-02 

1 

l.lOOe-02 

39 

EDG A FAILS TO START ON DEMAND (INCLUDES FAILURE TO RUN) 

L640e-02 

1 

L640e-02 

40 

OUTLET DAMPER 20A FAILS TO OPEN I 

4.000e-03 

1 

4.000e-03 

41 

OUTLET DAMPER 20C FAILS TO OPEN 

4.000e-03 

1 

4.000e-03 

42 

INLET DAMPER 23 A FAILS TO OPEN 

4.000e-03 

1 

4.000e-03 

43 

RECIRC DAMPER 26A FAILS TO CLOSE 

4.000e-03 

1 

4.000e-03 

44 

EDG LOAD SEQUENCER ‘A’ FAILS ON DEMAND 

LOOOe+00 

7.580e-04 

7.580e-04 

45 

FAN UNIT ♦FN1A FAILS TO RUN 

7.890e-06 

24 

L894e-04 

46 

FAN UNIT *FN1A FAILS TO START 

4.840e-04 

1 

4.840e-04 

47 

FAN UNIT *FN1 A OUT OF SERVICE FOR MAINTENANCE 

5.660e-04 

1 

5.660e-04 

48 

"fan UNIT *FN1C FAILS TO RUN 

7.890e-06 

24 

L894e-04 

49 

FAN UNIT ♦FNIC FAILS TO START 

4.840e-04 

1 

4.840e-04 

50 

FAN UNIT *FN1C OUT OF SERVICE FOR MAINTENANCE 

5.660e-04 

1 

5.660e-04 

51 

FUSE VlACl FAILS TO REMAIN CLOSED 

5.000e-07 

24 

L200e-05 

52 

DC TO AC POWER INVERTER-1 FAILS DURING OPERATION 

2.000e-05 

24 

4.800e-04 


Table C.l Basic Events 
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Event 

# 

Description 

Rate 

Exposure 

Probability 

53 

LEVEL SWITCH LS40A FAILS TO OPERATE (LOW DAY TANK LEVEL) 

LOOOe -05 

1 

l.OOOe -05 

54 

LEVEL SWITCH LS41A FAILS TO OPERATE (LOW-LOW DAY TANK 

LEVEL) 

LOOOe-05 

I 

LOOOe-05 

55 

FUEL OIL TRANSFER PUMP ‘PIA FAILS TO RUN 

2.500e-05 

24 

6.000e-04 

56 

FUEL OIL TRANSFER PUMP ‘PIA FAILS TO START 

2.000e-03 

1 

2.000e-03 

57 

FUEL OIL TRANSFER PUMP ’PIC FAILS TO RUN 

2.500e-05 

24 

6.000e-04 

58 

FUEL OIL TRANSFER PUMP *P1C FAILS TO START 

2.000e-03 

1 

2-000e-03 

59 

RELAY COIL 27Y2 FAILS TO ENERGIZE 

l.OOOe-04 

6 

6.000e-04 

60 

RELAY COIL 27R FAILS TO DEENERGIZE 

l.OOOe-04 

6 

6.000e-04 

61 

RELAY COIL 62V FAILS TO ENERGIZE 

LOOOe-04 

6 

6.000e-04 

62 

RELAY COIL 62W FAILS TO ENERGIZE 

LOOOe-04 

6 

6.000e-04 

63 

RELAY COIL 62Y FAILS TO ENERGIZE 

LOOOe-04 

6 

6.000e-04 

64 

FUEL OIL STORAGE TANK TKIA RUPTURES 

I.OOOe-07 

24 

2.400e-06 

65 

FUEL OIL DAY TANK TK2A RUPTURES 

L000e.07 

24 

2.400e-06 

66 

TRANSFORMER 34C3-IX FAILS TO OPERATE 

L200e-06 

24 

2.880e-05 

67 

TEMPERATURE SWITCH TS32A FAILS TO OPERATE 

2.000e-04 

1 

2.000e-04 

68 

CCF - SW AIR OPERATED VALVES *39A, B FAIL TO OPEN ON DEMAND 

2.000e-03 

0-068 

L360e-04 

69 

CCF OF DGs TO START ON DEMAND (INCLUDES FAILURE TO RUN) 

L640e-02 

0.068 

l.ll5e-03 

70 

CCF TO RUN OF TRANSFER PUMPS *P1A AND *P1C 

2.500e-05 

2.4 

6.000e-05 

71 

CCF TO START OF TRANSFER PUMPS *P1 A AND *P1C 

2.000e-03 

0.1 

2.000e-04 

72 

DC PANEL 301A-1A BUS FEED BREAKER FAILS TO REMAIN CLOSED 

L520e-06 

24 

3.648e-05 

73 

DC PANEL 301A-IB BUS FEED BREAKER FAILS TO REMAIN CLOSED 

L520e-06 

24 

3.648e-05 

74 

DC PANEL 30IA-I BUS FEED BREAKER FAILS TO REMAIN CLOSED 

1.520e-06 

24 

3.648e-05 

75 

DC BUS 301A-I FEED BREAKER TO INVl FAILS TO REMAIN CLOSED - -. 

L520e-06 

24 

3.648e-05 

76 

METAL ENCLOSED DC BUS-TO-GROUND SHORT (DC PANEL 301 A-I) 

2.000e-07 

24 

4.800e-06 

77 

METAL ENCLOSED DC BUS 301A-IA BUS-TO-GROUND SHORT 

2.000e-07 

24 

4.800e-06 

78 

METAL ENCLOSED DC BUS 301A-IB BUS-TO-GROUND SHORT 

2.000e-07 

24 i 

4.800e-06 

79 

STORAGE BATTERY 301A-1 FAILS TO PROVIDE OUTPUT ON DEMAND 

5.000e-04 

1 

5.000e-04 

80 

‘42 BREAKER* FOR VENTILATION UNIT HVY*FN2A FAILS TO CLOSE 

3.380e-04 

1 

3.380e-04 

81 

AIR OPERATED DAMPER ♦23A FAILS TO OPEN 

2.000e-03 

1 

2.000e-03 

82 

VENTILATION UNIT HVY*FN2A FAILS TO RUN 

7.890e-06 

24 

1.894e-04 

83 

VENTILATION UNIT HVY*FN2A FAILS TO START 

4.840e-04 

1 

4.840e-04 

84 

TEMPERATURE SWITCH TS60A FAILS TO OPERATE 

2.000e-04 

1 

2.000e-04 

85 

CCF - AIR OPERATED DAMPERS *23A AND *23B FAIL TO OPEN 

2.000e-03 

0.068 

L360e-04 

86 

CCF - VENTILATION UNITS HVY*FN2A, FN2B FAIL TO RUN 

7.890e-06 

2.4 

1.894e-05 

87 

CCF - VENTILATION UNITS HVY*FN2A, FN2B FAIL TO START 

4.840e-04 

0.1 

4.8406-05 

88 

NOT SUMMER OPERATION 

LOOOe+00 

0.75 

7.500e-01 

89 

PUMP SWP*PI A START CIRCUIT BREAKER FAILS TO CLOSE ON 

DEMAND 

3.380e-04 

1 

3.3806-04 

90 

PUMP SWP*P1C START CIRCUIT BREAKER FAILS TO CLOSE ON 

DEMAND 

3.380e-04 

^ 3.380e-04 

1 

3.3806-04 

91 

BUS FEED BREAKER FOR VI02A FAILS TO CLOSE ON DEMAND 


1 

3.3806-04 

92 

BUS FEED BREAKER FOR V102C FAILS TO CLOSE ON DEMAND 

1 3.380e-04 

I 

3.3806-04 

93 

PUMP ‘A’ CONTACT PAIR 52S 53-54 FAILS TO CLOSE 

1.350e-04 

! 132 

1.7826-02 

94 

PUMP ‘C* CONTACT PAIR 52S 53-54 FAILS TO CLOSE 

j I.350e-04 

1 132 

1.7826-02 

95 

LOW HEADER PRESSURE CONTACT PAIR 63X12 FAILS TO CLOSE 

L350e-04 

132 

1.7826-02 

96 

LOW HEADER PRESSURE CONTACT PAIR 63X56 FAILS TO CLOSE 

1 L350e-04 

132 

l.782e-02 

97 

PUMP ‘C’ LUBRICATION FAILS (CHECK VALVE - 768 FAILS TO OPEN) 

2.000e-04 

1 

2.0006-04 

98 

PUMP ‘A* LUBRICATION FAILS (CHECK VALVE - 769 FAILS TO OPEN) 

2.000e-04 

1 

2.0006-04 

99 

CHECK VALVE PIA*V7 FAILS TO OPEN ON DEMAND 

2.000e-04 

1 

2.0006-04 

100 

CHECK VALVE PIC*V5 FAILS TO OPEN ON DEMAND 

2.000e-04 

1 

2.000e-04 

101 

MOTOR OPERATED VALVE V102A FAILS TO OPEN ON DEMAND 

4.000e-03 

1 

4.0006-03 

102 

MOTOR OPERATED VALVE VI02C FAILS TO OPEN ON DEMAND 

4.000e-03 

1 

4.0006-03 

103 

SERVICE WATER PUMP SWPl A OOS FOR MAINTENANCE 

LlOOe-02 

1 

l.lOOe-02 


Table C.l Basic Events (continued) 
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Table C.l Basic Events (continued) 


Event 

# 

Description 

Rate 

Exposure 

Probability 

104 

SERVICE WATER PUMP SWPIA FAILS TO RUN 

3.200e-05 

24 

7.680e-04 

105 

SERVICE WATER PUMP SWP1A FAILS TO START ON DEMAND 

2.400e-03 

1 

2.400e-03 

106 

SERVICE WATER PUMP SWPIC OOS FOR MAINTENANCE 

9.000e-04 

1 

9.000e-04 

107 

SERVICE WATER PUMP SWPIC FAILS TO RUN 

3.200e-05 

24 

7.680e-04 

108 

SERVICE WATER PUMP SWPIC FAILS TO START ON DEMAND 

2.400e.03 

1 

2.400e-03 

109 

SERVICE WATER TRAIN ‘A’ PUMP ‘A’ IN LEAD 

I.OOOe+00 

0.5 

5.000e-01 

110 

SERVICE WATER TRAIN ‘A’ PUMP ‘C’ IN LEAD 

l.OOOe+00 

0.5 

5.000e-01 

111 

PRESSURE SWITCH PS27A FAILS TO OPERATE 

2.000e-04 

132 

2.640e-02 

112 

CCF OF CHECK VALVES V5 AND V7 FAILS TO OPEN ON DEMAND 

2.000e-04 

0.068 

1.360e-0'5 

113 

CCF OF LUBE LINE CHECK VALVES V768 AND V769 TO CLOSE 

2.000e-04 

0.068 

1.360e-05 

114 

CCF OF ALL 4 LUBE LINE CHECK VALVES TO OPEN 

2.000e-04 

0.00029 

5.800e-08 

115 

CCF OF ALL 4 DISCHARGE CHECK VALVES TO OPEN 

2.000e-04 

0.00029 

5.800e-08 

116 

CCF OF MOTOR OPERATED VALVES i02A AND 102C FAILS TO OPEN ON 
DEMAND 

4.000e-03 

0.068 

2.720e-0"4 

117 

CCF OF ALL 4 DISCHARGE MOTOR OPERATED VALVES TO OPEN 

4.000e-03 

0.00029 

I.I60e-06 

118 

CCF OF ALL 4 SERVICE WATER PUMPS TO START 

2.400e-03 

0.0022 

5.280e-06 

119 

CCF OF SERVICE WATER PUMPS ‘A’ AND ‘C’ FAIL TO RUN 

3.200e-05 

2.4 

7.680e-05 

120 

CCF TO START OF SW PUMPS ‘A’ AND ‘C’ 

2.400e-03 

0.1 

2.400e-04 

121 

OPERATOR FAILS TO START FOLLOW PUMP 

LOOOe+00 

0.01 

l.OOOe-02 


Table C.l Basic Events (continued) 
































































































Figure C.l MP-3 EDG Fault Tree 
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